[MDEV-14981] String::c_ptr may abort Created: 2018-01-17  Updated: 2020-12-01

Status: Open
Project: MariaDB Server
Component/s: Debug, Server
Affects Version/s: 10.2.12
Fix Version/s: 10.2

Type: Bug Priority: Major
Reporter: David Hall (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description   

the function String::c_ptr() has a debug assert to ensure there was room for a /0 terminator. This may be false in the following series.

Start with a string where str_length == Alloced_length - 1.
Append a single character such that this is called:

  inline bool append(char chr)
 
  {
 
    if (str_length < Alloced_length)
 
    {
 
      Ptr[str_length++]=chr;
 
    }
 
    else
 
    {
 
      if (realloc_with_extra(str_length + 1))
 
	return 1;
 
      Ptr[str_length++]=chr;
 
    }
 
    return 0;
 
  }

The character is added, wiping out the /0 and creating a situation where str_length == Alloced_length and if c_ptr() is called next, the debug assert aborts.

 Comments   
Comment by Sergei Golubchik [ 2018-01-22 ]

There are three methods:

  1. c_ptr_safe() — appends '\0' to the string, allocating more memory, if needed.
  2. c_pr_quick() — appends '\0' to the string, doesn't do anything if there's not enough space in the buffer.
  3. c_ptr() — appends '\0' to the string, crashes if there's not enough space in the buffer.

I fail to see how c_ptr_quick() and c_ptr() can be useful, so perhaps we should remove them and always use c_ptr_safe() ?

Generated at Thu Feb 08 08:17:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.