Bug #57253 for DBD-mysql: the fuction 'count_params' can call segfault (out of string access)

Thu May 06 05:09:49 2010 UNERA [...] cpan.org - Ticket created

Subject:

the fuction 'count_params' can call segfault (out of string access)

I have a children of DBI which catches three methods: prepare/prepare_cached and do. In these methods it appends to query-text a comment with scriptname ($0) using code like: sub prepare { my ($self, $query, @args) = @_; return $self->SUPER::prepare("$query /* $0 */", @args); } Till now I used version 4.07 (Debian/lenny), today I've upgraded DBD::mysql upto 4.014 and it became random crash with errors like: DBD::mysql::db selectrow_hashref failed: called with 1 bind variables when 3 are needed at ../lib/CRM/Session.pm line 47. Line 47 contains code like: my $svalue = dbh->selectrow_hashref(q{ SELECT * FROM session WHERE session = ? }, undef, $sid); I added 'die $query' into 'prepare' block and saw SQL: "SELECT * FROM session WHERE session = ? /* /path/to/document.cgi */" I don't see another '?' in SQL, but it wants. I made a few experiments and found workarround: If I add one space symbol after comment, it will work fine: sub prepare { my ($self, $query, @args) = @_; return $self->SUPER::prepare("$query /* $0 */ ", @args); } I looked through last revision of DBD::mysql and found that it has new block which detect comments in SQL. Random character of the problem forced me to look through Your new code and I found (I think I found) the source of problem: look through dbdimp.c lines 132-141. If SQL-statement is finished to '*/' then: line 132: ptr points to symbol '/' line 134: ptr points to symbol '\0' (EOF) line 138: ptr points to symbol after '\0' (EOF) then it search symbols and commentaries out of string of statement. I think You should check code which detect other comments, too (I didn't)

Sun May 16 09:57:26 2010 CAPTTOFU [...] cpan.org - Taken

Sun May 16 09:59:22 2010 CAPTTOFU [...] cpan.org - Correspondence added

Thank you very much for reporting this bug and pointing out the error! This is what I call a good bug to find. I have a fix in the upcoming 4.015. If you would like try this out prior to release, it's on git clone git://github.com/CaptTofu/DBD-mysql.git Again, Thank you, Patrick On Thu May 06 05:09:49 2010, UNERA wrote: Show quoted text

> I have a children of DBI which catches three methods: > prepare/prepare_cached and do. In these methods it appends to query-text > a comment with scriptname ($0) using code like: > > sub prepare > { > my ($self, $query, @args) = @_; > return $self->SUPER::prepare("$query /* $0 */", @args); > } > > Till now I used version 4.07 (Debian/lenny), today I've upgraded > DBD::mysql upto 4.014 and it became random crash with errors like: > > DBD::mysql::db selectrow_hashref failed: called with 1 bind variables > when 3 are needed at ../lib/CRM/Session.pm line 47. > > Line 47 contains code like: > > my $svalue = dbh->selectrow_hashref(q{ > SELECT * FROM session WHERE session = ? > }, undef, $sid); > > > I added 'die $query' into 'prepare' block and saw SQL: > > "SELECT * FROM session WHERE session = ? /* /path/to/document.cgi */" > > I don't see another '?' in SQL, but it wants. > > I made a few experiments and found workarround: > If I add one space symbol after comment, it will work fine: > > sub prepare > { > my ($self, $query, @args) = @_; > return $self->SUPER::prepare("$query /* $0 */ ", @args); > } > > I looked through last revision of DBD::mysql and found that it has new > block which detect comments in SQL. Random character of the problem > forced me to look through Your new code and I found (I think I found) > the source of problem: look through dbdimp.c lines 132-141. > > If SQL-statement is finished to '*/' then: > line 132: ptr points to symbol '/' > line 134: ptr points to symbol '\0' (EOF) > line 138: ptr points to symbol after '\0' (EOF) > > then it search symbols and commentaries out of string of statement. > > I think You should check code which detect other comments, too (I didn't)

Sun May 16 09:59:23 2010 The RT System itself - Status changed from 'new' to 'open'

Sun May 16 09:59:23 2010 CAPTTOFU [...] cpan.org - Status changed from 'open' to 'resolved'

Mon May 17 04:37:12 2010 unera [...] debian.org - Correspondence added

CC:	UNERA [...] cpan.org
Subject:	Re: [rt.cpan.org #57253] the fuction 'count_params' can call segfault (out of string access)
Date:	Mon, 17 May 2010 12:36:30 +0400
To:	Patrick Galbraith via RT <bug-DBD-mysql [...] rt.cpan.org>
From:	"Dmitry E. Oboukhov" <unera [...] debian.org>

Show quoted text

PGvR> <URL: https://rt.cpan.org/Ticket/Display.html?id=57253 >

Show quoted text

PGvR> Thank you very much for reporting this bug and pointing out the error! PGvR> This is what I call a good bug to find. I have a fix in the upcoming PGvR> 4.015. If you would like try this out prior to release, it's on

Show quoted text

PGvR> git clone git://github.com/CaptTofu/DBD-mysql.git

Show quoted text

PGvR> Again, PGvR> Thank you,

Hi, Patrick! Thank a lot for warm words, sorry for my bad english :) Unfortunately I wont be able to test new versions this week, so I think I'll test new cpan revision :) PS: You promised that You can add an option to include processing '?' symbols in comments (to get compatible with old sources), could You add this options in 4.015? (the other my bugreport) -- ... mpd playing: Paul Mauriat - Dis-Lui . ''`. Dmitry E. Oboukhov : :’ : email: unera@debian.org jabber://UNera@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537

Download signature.asc
application/pgp-signature 198b

Message body not shown because it is not plain text.

Mon May 17 04:37:14 2010 The RT System itself - Status changed from 'resolved' to 'open'

Mon May 31 05:29:33 2010 ppisar [...] redhat.com - Correspondence added

From:

ppisar [...] redhat.com

Dne Ne 16.Květen.2010 09:59:22, CAPTTOFU napsal(a): Show quoted text

> Thank you very much for reporting this bug and pointing out the error! > This is what I call a good bug to find. I have a fix in the upcoming > 4.015. If you would like try this out prior to release, it's on > > git clone git://github.com/CaptTofu/DBD-mysql.git >

It adds new tests only. Does it mean the bug is not fixed yet?

Mon May 31 06:15:28 2010 unera [...] debian.org - Correspondence added

CC:	UNERA [...] cpan.org
Subject:	Re: [rt.cpan.org #57253] the fuction 'count_params' can call segfault (out of string access)
Date:	Mon, 31 May 2010 14:14:44 +0400
To:	Petr Pisar via RT <bug-DBD-mysql [...] rt.cpan.org>
From:	"Dmitry E. Oboukhov" <unera [...] debian.org>

Show quoted text

>> Thank you very much for reporting this bug and pointing out the error! >> This is what I call a good bug to find. I have a fix in the upcoming >> 4.015. If you would like try this out prior to release, it's on >> >> git clone git://github.com/CaptTofu/DBD-mysql.git >>

Show quoted text

PPvR> It adds new tests only. Does it mean the bug is not fixed yet?

I've done git clone, it contains the same (bug is still present) code line 132 - ptr points to '/' line 134 - ptr points to symbol '\0' (EOF) line 138 - ptr points to symbol after '\0' (EOF) I am in vacation, so can't watch the bug properly. -- ... mpd playing: U.D.O. - Faceless World . ''`. Dmitry E. Oboukhov : :’ : email: unera@debian.org jabber://UNera@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537

Download signature.asc
application/pgp-signature 198b

Message body not shown because it is not plain text.

Sat Jun 05 08:58:14 2010 chrisb [...] debian.org - Correspondence added

From:

chrisb [...] debian.org

It looks like there's a similar bug in parse_params to do with comments at the end of statements. It was reported to the Debian bug tracking system here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584428 Looking at the code in parse_params, it seems that the comment detection will only stop when it reaches a newline, and doesn't check for the end of the string. I guess you may have spotted and fixed this issue when fixing count_params, but it seems your git repository is missing the changes to dbdimp.c. I've attached a patch anyway which fixes parse_params.

Subject:

0001-End-comment-detection-at-end-of-string.patch

From 09e92001740136a4dc0b1ee92b7c5c0cd95c0caf Mon Sep 17 00:00:00 2001 From: Chris Butler <chrisb@debian.org> Date: Sat, 5 Jun 2010 13:45:31 +0100 Subject: [PATCH] End comment detection at end of string This prevents an endless loop when a statement ends with a comment and no newline. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584428 for details. --- dbdimp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dbdimp.c b/dbdimp.c index e473a77..aff25a6 100755 --- a/dbdimp.c +++ b/dbdimp.c @@ -595,12 +595,12 @@ static char *parse_params( *ptr++ = *statement_ptr++; if (*statement_ptr == '-') { - /* ignore everything until newline */ + /* ignore everything until newline or end of string */ while (*statement_ptr) { comment_length++; *ptr++ = *statement_ptr++; - if (*statement_ptr == '\n') + if (!*statement_ptr || *statement_ptr == '\n') { comment_end= true; break; -- 1.7.1

Fri Jul 09 15:26:17 2010 CAPTTOFU [...] cpan.org - Correspondence added

Rolling a release today( 4.015) - this fix is in that release. Thanks!

Fri Jul 09 15:26:18 2010 CAPTTOFU [...] cpan.org - Status changed from 'open' to 'resolved'

Fri Jul 09 15:30:42 2010 CAPTTOFU [...] cpan.org - Correspondence added

Dimtry, Privet! I decided to add an option for developers like yourself have have come to depend on placeholders in comments being bound: $dbh->{mysql_bind_comment_placeholders}= 1; # for old behavior I'm rolling a release (4.015) today that will include this! Thank you, Patrick On Mon May 17 04:37:12 2010, unera@debian.org wrote: Show quoted text

> PGvR> <URL: https://rt.cpan.org/Ticket/Display.html?id=57253 >

>

> PGvR> Thank you very much for reporting this bug and pointing out the

error! Show quoted text

> PGvR> This is what I call a good bug to find. I have a fix in the

upcoming Show quoted text

> PGvR> 4.015. If you would like try this out prior to release, it's on

>

> PGvR> git clone git://github.com/CaptTofu/DBD-mysql.git

>

> PGvR> Again, > PGvR> Thank you,

> > > Hi, Patrick! > > Thank a lot for warm words, sorry for my bad english :) > > Unfortunately I wont be able to test new versions this week, so I > think I'll test new cpan revision :) > > PS: You promised that You can add an option to include processing '?' > symbols in comments (to get compatible with old sources), could You > add this options in 4.015? (the other my bugreport) >

Fri Jul 09 15:30:43 2010 The RT System itself - Status changed from 'resolved' to 'open'

Mon Aug 09 21:36:34 2010 CAPTTOFU [...] cpan.org - Correspondence added

Fixed in 4.015

Mon Aug 09 21:36:36 2010 CAPTTOFU [...] cpan.org - Status changed from 'open' to 'resolved'