Bug#18539 uncompress(d) is null: impossible?

- Add a check that length of field to uncompress is longer than 4 bytes. This can be dones as the length of uncompressed data is written as first four bytes of field and thus it can't be valid compressed data.

Bug#18539 uncompress(d) is null: impossible?
- Add a check that length of field to uncompress is longer than 4 bytes. This can be dones as the length of uncompressed data is written as first four bytes of field and thus it can't be valid compressed data.
2d43d067 · msvensson@neptunus.(none) · ec183566 · 2d43d067 · 2d43d067
Commit 2d43d067 authored Jul 18, 2006 by msvensson@neptunus.(none)
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 5 deletions

mysql-test/r/func_compress.result mysql-test/r/func_compress.result +5 -5

sql/item_strfunc.cc sql/item_strfunc.cc +10 -0

No files found.
--- a/mysql-test/r/func_compress.result
+++ b/mysql-test/r/func_compress.result
@@ -85,12 +85,12 @@ explain select * from t1 where uncompress(a) is null;
 id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 1	SIMPLE	t1	system	NULL	NULL	NULL	NULL	1	
 Warnings:
-Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+Error	1259	ZLIB: Input data corrupted
 select * from t1 where uncompress(a) is null;
 a
 foo
 Warnings:
-Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+Error	1259	ZLIB: Input data corrupted
 explain select *, uncompress(a) from t1;
 id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 1	SIMPLE	t1	system	NULL	NULL	NULL	NULL	1	
@@ -98,12 +98,12 @@ select *, uncompress(a) from t1;
 a	uncompress(a)
 foo	NULL
 Warnings:
-Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+Error	1259	ZLIB: Input data corrupted
 select *, uncompress(a), uncompress(a) is null from t1;
 a	uncompress(a)	uncompress(a) is null
 foo	NULL	1
 Warnings:
-Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+Error	1259	ZLIB: Input data corrupted
-Error	1256	Uncompressed data size too large; the maximum size is 104857600 (probably, length of uncompressed data was corrupted)
+Error	1259	ZLIB: Input data corrupted
 drop table t1;
 End of 5.0 tests
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -2965,6 +2965,16 @@ String *Item_func_uncompress::val_str(String *str)
  if (res->is_empty())
    return res;
+  /* If length is less than 4 bytes, data is corrupt */
+  if (res->length() <= 4)
+  {
+    push_warning_printf(current_thd,MYSQL_ERROR::WARN_LEVEL_ERROR,
+			ER_ZLIB_Z_DATA_ERROR,
+			ER(ER_ZLIB_Z_DATA_ERROR));
+    goto err;
+  }
+  /* Size of uncompressed data is stored as first 4 bytes of field */
  new_size= uint4korr(res->ptr()) & 0x3FFFFFFF;
  if (new_size > current_thd->variables.max_allowed_packet)
  {