Skip Menu |
 

This queue is for tickets about the DBD-mysql CPAN distribution.

Report information
The Basics
Id: 57253
Status: resolved
Priority: 0/
Queue: DBD-mysql

People
Owner: CAPTTOFU [...] cpan.org
Requestors: UNERA [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: 4.014
Fixed in: (no value)



Subject: the fuction 'count_params' can call segfault (out of string access)
Download (untitled) / with headers
text/plain 1.6k
I have a children of DBI which catches three methods: prepare/prepare_cached and do. In these methods it appends to query-text a comment with scriptname ($0) using code like: sub prepare { my ($self, $query, @args) = @_; return $self->SUPER::prepare("$query /* $0 */", @args); } Till now I used version 4.07 (Debian/lenny), today I've upgraded DBD::mysql upto 4.014 and it became random crash with errors like: DBD::mysql::db selectrow_hashref failed: called with 1 bind variables when 3 are needed at ../lib/CRM/Session.pm line 47. Line 47 contains code like: my $svalue = dbh->selectrow_hashref(q{ SELECT * FROM session WHERE session = ? }, undef, $sid); I added 'die $query' into 'prepare' block and saw SQL: "SELECT * FROM session WHERE session = ? /* /path/to/document.cgi */" I don't see another '?' in SQL, but it wants. I made a few experiments and found workarround: If I add one space symbol after comment, it will work fine: sub prepare { my ($self, $query, @args) = @_; return $self->SUPER::prepare("$query /* $0 */ ", @args); } I looked through last revision of DBD::mysql and found that it has new block which detect comments in SQL. Random character of the problem forced me to look through Your new code and I found (I think I found) the source of problem: look through dbdimp.c lines 132-141. If SQL-statement is finished to '*/' then: line 132: ptr points to symbol '/' line 134: ptr points to symbol '\0' (EOF) line 138: ptr points to symbol after '\0' (EOF) then it search symbols and commentaries out of string of statement. I think You should check code which detect other comments, too (I didn't)
Thank you very much for reporting this bug and pointing out the error! This is what I call a good bug to find. I have a fix in the upcoming 4.015. If you would like try this out prior to release, it's on git clone git://github.com/CaptTofu/DBD-mysql.git Again, Thank you, Patrick On Thu May 06 05:09:49 2010, UNERA wrote: Show quoted text
> I have a children of DBI which catches three methods: > prepare/prepare_cached and do. In these methods it appends to query-text > a comment with scriptname ($0) using code like: > > sub prepare > { > my ($self, $query, @args) = @_; > return $self->SUPER::prepare("$query /* $0 */", @args); > } > > Till now I used version 4.07 (Debian/lenny), today I've upgraded > DBD::mysql upto 4.014 and it became random crash with errors like: > > DBD::mysql::db selectrow_hashref failed: called with 1 bind variables > when 3 are needed at ../lib/CRM/Session.pm line 47. > > Line 47 contains code like: > > my $svalue = dbh->selectrow_hashref(q{ > SELECT * FROM session WHERE session = ? > }, undef, $sid); > > > I added 'die $query' into 'prepare' block and saw SQL: > > "SELECT * FROM session WHERE session = ? /* /path/to/document.cgi */" > > I don't see another '?' in SQL, but it wants. > > I made a few experiments and found workarround: > If I add one space symbol after comment, it will work fine: > > sub prepare > { > my ($self, $query, @args) = @_; > return $self->SUPER::prepare("$query /* $0 */ ", @args); > } > > I looked through last revision of DBD::mysql and found that it has new > block which detect comments in SQL. Random character of the problem > forced me to look through Your new code and I found (I think I found) > the source of problem: look through dbdimp.c lines 132-141. > > If SQL-statement is finished to '*/' then: > line 132: ptr points to symbol '/' > line 134: ptr points to symbol '\0' (EOF) > line 138: ptr points to symbol after '\0' (EOF) > > then it search symbols and commentaries out of string of statement. > > I think You should check code which detect other comments, too (I didn't)
CC: UNERA [...] cpan.org
Subject: Re: [rt.cpan.org #57253] the fuction 'count_params' can call segfault (out of string access)
Date: Mon, 17 May 2010 12:36:30 +0400
To: Patrick Galbraith via RT <bug-DBD-mysql [...] rt.cpan.org>
From: "Dmitry E. Oboukhov" <unera [...] debian.org>
Download (untitled) / with headers
text/plain 1016b
Show quoted text
Show quoted text
PGvR> Thank you very much for reporting this bug and pointing out the error! PGvR> This is what I call a good bug to find. I have a fix in the upcoming PGvR> 4.015. If you would like try this out prior to release, it's on
Show quoted text
PGvR> git clone git://github.com/CaptTofu/DBD-mysql.git
Show quoted text
PGvR> Again, PGvR> Thank you,
Hi, Patrick! Thank a lot for warm words, sorry for my bad english :) Unfortunately I wont be able to test new versions this week, so I think I'll test new cpan revision :) PS: You promised that You can add an option to include processing '?' symbols in comments (to get compatible with old sources), could You add this options in 4.015? (the other my bugreport) -- ... mpd playing: Paul Mauriat - Dis-Lui . ''`. Dmitry E. Oboukhov : :’ : email: unera@debian.org jabber://UNera@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
Download signature.asc
application/pgp-signature 198b

Message body not shown because it is not plain text.

From: ppisar [...] redhat.com
Download (untitled) / with headers
text/plain 385b
Dne Ne 16.Květen.2010 09:59:22, CAPTTOFU napsal(a): Show quoted text
> Thank you very much for reporting this bug and pointing out the error! > This is what I call a good bug to find. I have a fix in the upcoming > 4.015. If you would like try this out prior to release, it's on > > git clone git://github.com/CaptTofu/DBD-mysql.git >
It adds new tests only. Does it mean the bug is not fixed yet?
CC: UNERA [...] cpan.org
Subject: Re: [rt.cpan.org #57253] the fuction 'count_params' can call segfault (out of string access)
Date: Mon, 31 May 2010 14:14:44 +0400
To: Petr Pisar via RT <bug-DBD-mysql [...] rt.cpan.org>
From: "Dmitry E. Oboukhov" <unera [...] debian.org>
Download (untitled) / with headers
text/plain 863b
Show quoted text
>> Thank you very much for reporting this bug and pointing out the error! >> This is what I call a good bug to find. I have a fix in the upcoming >> 4.015. If you would like try this out prior to release, it's on >> >> git clone git://github.com/CaptTofu/DBD-mysql.git >>
Show quoted text
PPvR> It adds new tests only. Does it mean the bug is not fixed yet?
I've done git clone, it contains the same (bug is still present) code line 132 - ptr points to '/' line 134 - ptr points to symbol '\0' (EOF) line 138 - ptr points to symbol after '\0' (EOF) I am in vacation, so can't watch the bug properly. -- ... mpd playing: U.D.O. - Faceless World . ''`. Dmitry E. Oboukhov : :’ : email: unera@debian.org jabber://UNera@uvw.ru `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
Download signature.asc
application/pgp-signature 198b

Message body not shown because it is not plain text.

From: chrisb [...] debian.org
Download (untitled) / with headers
text/plain 577b
It looks like there's a similar bug in parse_params to do with comments at the end of statements. It was reported to the Debian bug tracking system here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584428 Looking at the code in parse_params, it seems that the comment detection will only stop when it reaches a newline, and doesn't check for the end of the string. I guess you may have spotted and fixed this issue when fixing count_params, but it seems your git repository is missing the changes to dbdimp.c. I've attached a patch anyway which fixes parse_params.
Subject: 0001-End-comment-detection-at-end-of-string.patch
From 09e92001740136a4dc0b1ee92b7c5c0cd95c0caf Mon Sep 17 00:00:00 2001 From: Chris Butler <chrisb@debian.org> Date: Sat, 5 Jun 2010 13:45:31 +0100 Subject: [PATCH] End comment detection at end of string This prevents an endless loop when a statement ends with a comment and no newline. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584428 for details. --- dbdimp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dbdimp.c b/dbdimp.c index e473a77..aff25a6 100755 --- a/dbdimp.c +++ b/dbdimp.c @@ -595,12 +595,12 @@ static char *parse_params( *ptr++ = *statement_ptr++; if (*statement_ptr == '-') { - /* ignore everything until newline */ + /* ignore everything until newline or end of string */ while (*statement_ptr) { comment_length++; *ptr++ = *statement_ptr++; - if (*statement_ptr == '\n') + if (!*statement_ptr || *statement_ptr == '\n') { comment_end= true; break; -- 1.7.1
Rolling a release today( 4.015) - this fix is in that release. Thanks!
Download (untitled) / with headers
text/plain 1.1k
Dimtry, Privet! I decided to add an option for developers like yourself have have come to depend on placeholders in comments being bound: $dbh->{mysql_bind_comment_placeholders}= 1; # for old behavior I'm rolling a release (4.015) today that will include this! Thank you, Patrick On Mon May 17 04:37:12 2010, unera@debian.org wrote: Show quoted text
>
> PGvR> Thank you very much for reporting this bug and pointing out the
error! Show quoted text
> PGvR> This is what I call a good bug to find. I have a fix in the
upcoming Show quoted text
> PGvR> 4.015. If you would like try this out prior to release, it's on
>
> PGvR> git clone git://github.com/CaptTofu/DBD-mysql.git
>
> PGvR> Again, > PGvR> Thank you,
> > > Hi, Patrick! > > Thank a lot for warm words, sorry for my bad english :) > > Unfortunately I wont be able to test new versions this week, so I > think I'll test new cpan revision :) > > PS: You promised that You can add an option to include processing '?' > symbols in comments (to get compatible with old sources), could You > add this options in 4.015? (the other my bugreport) >
Fixed in 4.015


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.