Open r33s3n6 opened 2 weeks ago
The root cause is in https://github.com/pingcap/tidb/blob/e13bfebaf0ecd18ef6fd2057869da7e2b2e734f2/pkg/planner/core/logical_plan_builder.go#L1557-L1559
It tries to adjust the flen for integer, but it does not consider the case that flen() == -1
, which actually means no length limit, so after the adjustment, the flen is set to 20, which is not expected.
1. Minimal reproduce step (Required)
2. What did you expect to see? (Required)
3. What did you see instead (Required)
4. What is your TiDB version? (Required)
about us
We are the BASS team from the School of Cyber Science and Technology at Beihang University. Our main focus is on system software security, operating systems, and program analysis research, as well as the development of automated program testing frameworks for detecting software defects. Using our self-developed database vulnerability testing tool, we have identified the above-mentioned vulnerabilities in TiDB that may lead to database logic error.