Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7019

String::chop() is wrong and may potentially crash.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.40, 10.0.14
    • Fix Version/s: 5.5.41
    • Component/s: OTHER
    • Labels:

      Description

      Olivier noticed that this code looks wrong in sql_string.h:

        inline void chop()
        {
          Ptr[str_length--]= '\0';
        }
      

      it should be written as:

        inline void chop()
        {
          Ptr[--str_length]= '\0';
        }
      

      The reason why the problem was not found is probably because all chop() callers do not really care about correct 0-termination, they only need to reduce length by 1. Perhaps it should be fixed not to maintain 0 termination at all, to something like this:

        inline void chop()
        {
          str_length--;
        }
      

        Gliffy Diagrams

          Attachments

            Activity

            Hide
            bar Alexander Barkov added a comment -
            Show
            bar Alexander Barkov added a comment - Upstream bug: http://bugs.mysql.com/bug.php?id=56492
            Hide
            bar Alexander Barkov added a comment -

            Pushed into 5.5.

            Show
            bar Alexander Barkov added a comment - Pushed into 5.5.

              People

              • Assignee:
                bar Alexander Barkov
                Reporter:
                bar Alexander Barkov
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: