Bug#20729: Bad date_format() call makes mysql server crash

The problem is that the author used the wrong function to send a warning to the user about truncation of data. push_warning() takes a constant string and push_warning_printf() takes a format and variable arguments to fill it. Since the string we were complaining about contains percent characters, the printf() code interprets the "%Y" et c. that the user sends. That's wrong, and often causes a crash, especially if the date mentions seconds, "%s". A alternate fix would be to use push_warning_printf(..., "%s", warn_buff) . mysql-test/r/date_formats.result: Test that an invalid date doesn't crash the server. We should get a warning back instead of a dead socket. mysql-test/t/date_formats.test: Test that an invalid date doesn't crash the server. We should get a warning back instead of a dead socket. sql/time.cc: Don't try to use warn_buf as the start of a varible arguement list to send to a warning-formatted my_vsnprintf() .

Bug#20729: Bad date_format() call makes mysql server crash
The problem is that the author used the wrong function to send a warning to the user about truncation of data. push_warning() takes a constant string and push_warning_printf() takes a format and variable arguments to fill it. Since the string we were complaining about contains percent characters, the printf() code interprets the "%Y" et c. that the user sends. That's wrong, and often causes a crash, especially if the date mentions seconds, "%s". A alternate fix would be to use push_warning_printf(..., "%s", warn_buff) . mysql-test/r/date_formats.result: Test that an invalid date doesn't crash the server. We should get a warning back instead of a dead socket. mysql-test/t/date_formats.test: Test that an invalid date doesn't crash the server. We should get a warning back instead of a dead socket. sql/time.cc: Don't try to use warn_buf as the start of a varible arguement list to send to a warning-formatted my_vsnprintf() .
ed001f18 · unknown · 17986f7c · ed001f18 · ed001f18 · ed001f18
Commit ed001f18 authored Jul 11, 2006 by unknown
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 2 deletions

mysql-test/r/date_formats.result mysql-test/r/date_formats.result +6 -0

mysql-test/t/date_formats.test mysql-test/t/date_formats.test +7 -1

sql/time.cc sql/time.cc +1 -1

No files found.
--- a/mysql-test/r/date_formats.result
+++ b/mysql-test/r/date_formats.result
@@ -509,3 +509,9 @@ TIME_FORMAT("24:00:00", '%l %p')
 SELECT TIME_FORMAT("25:00:00", '%l %p');
 TIME_FORMAT("25:00:00", '%l %p')
 1 AM
+SELECT DATE_FORMAT('%Y-%m-%d %H:%i:%s', 1151414896);
+DATE_FORMAT('%Y-%m-%d %H:%i:%s', 1151414896)
+NULL
+Warnings:
+Warning	1292	Truncated incorrect datetime value: '%Y-%m-%d %H:%i:%s'
+"End of 4.1 tests"
--- a/mysql-test/t/date_formats.test
+++ b/mysql-test/t/date_formats.test
@@ -275,7 +275,6 @@ drop table t1;
 select str_to_date( 1, NULL );
 select str_to_date( NULL, 1 );
 select str_to_date( 1, IF(1=1,NULL,NULL) );
-# End of 4.1 tests

 #
 # Bug#11326
@@ -298,3 +297,10 @@ SELECT TIME_FORMAT("12:00:00", '%l %p');
 SELECT TIME_FORMAT("23:00:00", '%l %p');
 SELECT TIME_FORMAT("24:00:00", '%l %p');
 SELECT TIME_FORMAT("25:00:00", '%l %p');
+
+#
+# Bug#20729:  Bad date_format() call makes mysql server crash
+#
+SELECT DATE_FORMAT('%Y-%m-%d %H:%i:%s', 1151414896);
+
+--echo "End of 4.1 tests"
--- a/sql/time.cc
+++ b/sql/time.cc
@@ -797,7 +797,7 @@ void make_truncated_value_warning(THD *thd, const char *str_val,
  }
  sprintf(warn_buff, ER(ER_TRUNCATED_WRONG_VALUE),
 	  type_str, str.ptr());
-  push_warning_printf(thd, MYSQL_ERROR::WARN_LEVEL_WARN,
+  push_warning(thd, MYSQL_ERROR::WARN_LEVEL_WARN,
 		      ER_TRUNCATED_WRONG_VALUE, warn_buff);
 }