Bug#12368495 CRASH AND/OR VALGRIND ERRORS WITH REVERSE FUNCTION AND CHARSET CONVERTS

Item_func_trim::val_str: we were using the non-mb algorithm for skipping leading spaces in a multibyte-charset string.

Bug#12368495 CRASH AND/OR VALGRIND ERRORS WITH REVERSE FUNCTION AND CHARSET CONVERTS
Item_func_trim::val_str: we were using the non-mb algorithm for skipping leading spaces in a multibyte-charset string.
7ad0e1c5 · Tor Didriksen · d7ab3bf5 · 7ad0e1c5
Commit 7ad0e1c5 authored Nov 05, 2013 by Tor Didriksen
Show whitespace changes
Inline Side-by-side

Showing with 24 additions and 4 deletions

sql/item_strfunc.cc sql/item_strfunc.cc +24 -4

No files found.
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -1005,6 +1005,7 @@ String *Item_func_reverse::val_str(String *str)
      if ((l= my_ismbchar(res->charset(),ptr,end)))
      {
        tmp-= l;
+        DBUG_ASSERT(tmp >= tmp_value.ptr());
        memcpy(tmp,ptr,l);
        ptr+= l;
      }
@@ -1751,18 +1752,35 @@ String *Item_func_trim::val_str(String *str)
  ptr= (char*) res->ptr();
  end= ptr+res->length();
  r_ptr= remove_str->ptr();
-  while (ptr+remove_length <= end && !memcmp(ptr,r_ptr,remove_length))
-    ptr+=remove_length;
 #ifdef USE_MB
  if (use_mb(res->charset()))
  {
+    while (ptr + remove_length <= end)
+    {
+      uint num_bytes= 0;
+      while (num_bytes < remove_length)
+      {
+        uint len;
+        if ((len= my_ismbchar(res->charset(), ptr + num_bytes, end)))
+          num_bytes+= len;
+        else
+          ++num_bytes;
+      }
+      if (num_bytes != remove_length)
+        break;
+      if (memcmp(ptr, r_ptr, remove_length))
+        break;
+      ptr+= remove_length;
+    }
    char *p=ptr;
    register uint32 l;
 loop:
    while (ptr + remove_length < end)
    {
-      if ((l=my_ismbchar(res->charset(), ptr,end))) ptr+=l;
+      if ((l= my_ismbchar(res->charset(), ptr,end)))
-      else ++ptr;
+        ptr+= l;
+      else
+        ++ptr;
    }
    if (ptr + remove_length == end && !memcmp(ptr,r_ptr,remove_length))
    {
@@ -1775,6 +1793,8 @@ String *Item_func_trim::val_str(String *str)
  else
 #endif /* USE_MB */
  {
+    while (ptr+remove_length <= end && !memcmp(ptr,r_ptr,remove_length))
+      ptr+=remove_length;
    while (ptr + remove_length <= end &&
 	   !memcmp(end-remove_length,r_ptr,remove_length))
      end-=remove_length;