bound the trailing hex read in my_mb_wc_filename

[jmestwa-coder]

my_mb_wc_filename decodes the 5-byte '@hhhh' escape but the length guard is off by one:

• the s + 4 > e check only covers 4 bytes while the hex branch reads s[4]
• a truncated @HHH whose buffer ends at s+4 over-reads one byte past e, reachable through well_formed_length/charpos on a my_charset_filename string with tight bounds
• the existing s[3] ? guard only stops at a NUL terminator, not at the end pointer
  bound the s[4] read against e; added a strings-t case that returns ILSEQ instead of over-reading (ASAN flags the read of size 1 past a 4-byte buffer before the fix).

[gemini-code-assist]

Code Review

This pull request fixes an out-of-bounds read vulnerability in my_mb_wc_filename by ensuring that the end pointer is checked before reading the 4th hex digit of a truncated escape sequence. It also adds a unit test to verify this behavior. The review comments suggest improving the unit test by returning the actual return value of my_ci_mb_wc and asserting the expected error code (MY_CS_ILSEQ) directly, which makes the test more idiomatic and direct.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Returning the actual return value of my_ci_mb_wc rather than a boolean mapping makes the test more direct and easier to understand. We can then assert the expected error code (MY_CS_ILSEQ) directly in the test runner.

static int test_mb_wc_filename_truncated()
{
  CHARSET_INFO *cs= &my_charset_filename;
  uchar buf[5]= {'@', '0', '0', '0', '1'};
  my_wc_t wc= 0;
  return my_ci_mb_wc(cs, &wc, buf, buf + 4);
}

[gemini-code-assist]

Asserting the expected error code (MY_CS_ILSEQ) directly is more idiomatic and provides clearer test output if the assertion fails.

  ok(test_mb_wc_filename_truncated() == MY_CS_ILSEQ,
     "filename decoder does not read past the end pointer");

[gkodinov]

Thank you for your contribution! This is a preliminary review.

Thank you for working out a test this time!
FWIW, the whole thing is highly theoretical IMHO, since right now most of the file name buffers are of fixed size. I'd be VERY surprised if you find an integral test with this. Have you thought about a possible one?

Otherwise, on the formal side, please add a commit message to your commit.

[gkodinov]

FWIW, @NNN (3 symbols) is not a valid escape! You could just change the check above to say s + 5 and be done with it (and remove all the ifs and buts).

[jmestwa-coder]

Yep, @hhh isn't a valid escape. Switched the check above to s + 5 > e (TOOSMALL5) and dropped the per-byte guards, so s[3]/s[4] are plain hexlo() reads now.

[jmestwa-coder]

Pushed both points:

• guard is now s + 5 > e and the per-byte ifs are gone, per your note
• added a commit message body

On a real-world trigger: agreed, it's theoretical. The filename buffers on the server paths are all fixed-size and NUL-terminated, so I couldn't get a SQL-level case to reach s[4] past the end either. The only route that does is well_formed_length/charpos with a tight, non-terminated end pointer, which is what the strings-t case feeds. I don't have an integral test to offer beyond that one, so happy to drop it if you'd rather not carry the unit test.