Bug #25481041: WL#9106: SIGNAL 11 IN STRINGS/CTYPE-UCA.CC

Steinar H. Gunderson · Steinar H. Gunderson · commit 567cee52b635 · 2017-02-09T16:59:15.000+01:00
Make sure hashing and strnxfrm for UCA collations accept nullptr
without crashing; we would form a pointer that wrapped around.
In particular, this would happen when trying to hash an empty blob
(MyISAM returns a null pointer in this case).

Performance on microbenchmarks is neutral or ever so slightly better;
generally within measurement noise (~1%).

Change-Id: I4e352e425f057b89599e32c477baea004b65aeea
diff --git a/strings/ctype-uca.cc b/strings/ctype-uca.cc
@@ -1633,6 +1633,13 @@ ALWAYS_INLINE void uca_scanner_900<Mb_wc, LEVELS_FOR_COMPARE>::for_each_weight(
   const uint16 *ascii_wpage= UCA900_WEIGHT_ADDR(
     cs->uca->weights[0], /*level=*/weight_lv, /*subcode=*/0);
 
+  /*
+    Precalculate the limit for the fast path below, taking care not to form
+    pointers that are before sbeg, as those cannot be legally compared.
+    (In particular, this catches the case of sbeg == send == nullptr.)
+  */
+  const uchar *send_local= (send - sbeg > 3) ? (send - 3) : sbeg;
+
   for ( ;; )
   {
     /*
@@ -1652,7 +1659,6 @@ ALWAYS_INLINE void uca_scanner_900<Mb_wc, LEVELS_FOR_COMPARE>::for_each_weight(
       we'd otherwise have to do.
     */
     const uchar *sbeg_local= sbeg;
-    const uchar *send_local= send - (sizeof(uint32) - 1);
     while (sbeg_local < send_local && preaccept_data(sizeof(uint32)))
     {
       /*
diff --git a/unittest/gunit/strings_strnxfrm-t.cc b/unittest/gunit/strings_strnxfrm-t.cc
@@ -315,6 +315,20 @@ TEST(StrXfrmTest, UTF8MB4PadCorrectness_2)
   }
 }
 
+TEST(StrXfrmTest, NullPointer)
+{
+  CHARSET_INFO *cs= init_collation("utf8mb4_0900_ai_ci");
+  unsigned char buf[256];
+
+  memset(buf, 0x33, sizeof(buf));
+  cs->coll->strnxfrm(
+    cs, buf, sizeof(buf), sizeof(buf), nullptr, 0, MY_STRXFRM_PAD_TO_MAXLEN);
+
+  for (size_t i= 0; i < sizeof(buf); ++i) {
+    EXPECT_EQ(0, buf[i]);
+  }
+}
+
 // Benchmark based on reduced test case in Bug #83247 / #24788778.
 //
 // Note: This benchmark does not exercise any real multibyte characters;
@@ -1234,4 +1248,21 @@ TEST(PadCollationTest, HashSort)
   EXPECT_NE(hash(as_cs, "ab  c"), hash(as_cs, "abc"));
 }
 
+TEST(HashTest, NullPointer)
+{
+  CHARSET_INFO *cs= init_collation("utf8mb4_0900_ai_ci");
+  ulong nr1= 1, nr2= 4;
+
+  /*
+    We should get the same hash from the empty string no matter what
+    the pointer is.
+  */
+  cs->coll->hash_sort(cs, nullptr, 0, &nr1, &nr2);
+  EXPECT_EQ(nr1, hash(cs, ""));
+
+  cs->coll->hash_sort(
+    cs, pointer_cast<const uchar *>("        "), 8, &nr1, &nr2);
+  // Don't care what the values are, just that we don't crash.
+}
+
 }  // namespace strnxfrm_unittest
