• Nisha Gopalakrishnan's avatar
    BUG#11757250: REPLACE(...) INSIDE A STORED PROCEDURE. · 3d9d0e77
    Nisha Gopalakrishnan authored
    Analysis:
    --------
    
    REPLACE operation provides incorrect output when
    user variable is supplied as an argument and there
    are multiple rows on which the operation is performed.
    
    Consider the example below:
    
    SET @var='(( 00000000 ++ 00000000 ))';
    SELECT REPLACE(@var, '00000000', table_name) AS a FROM
    INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='mysql';
    
    Invalid output:
      +---------------------------------------+
      | REPLACE(@var, '00000000', TABLE_NAME) |
      +---------------------------------------+
      | (( columns_priv ++ columns_priv ))    |
      | (( columns_priv ++ columns_priv ))    |
          ......
          ......
      | (( columns_priv ++ columns_priv ))    |
      | (( columns_priv ++ columns_priv ))    |
      | (( columns_priv ++ columns_priv ))    |
      +---------------------------------------+
    
    The user argument supplied as the string to REPLACE
    operation is overwritten after the first iteration
    to '(( columns_priv ++ columns_priv ))'.
    The overwritten string after the first iteration
    is used for the subsequent REPLACE iteration. Since
    the pattern string is not found, it returns invalid
    output as mentioned above.
    
    Fix:
    ---
    If the Alloced_length is zero, realloc() and create a
    copy of the string which is then used for the REPLACE
    operation for every iteration.
    3d9d0e77
sql_string.cc 19.9 KB