1. 18 Jul, 2011 4 commits
  2. 15 Jul, 2011 4 commits
    • Tor Didriksen's avatar
    • Tor Didriksen's avatar
      merge 5.0-security => 5.1-security · 93915d0d
      Tor Didriksen authored
      93915d0d
    • Tor Didriksen's avatar
      Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL · cfcd49b4
      Tor Didriksen authored
      The buffer was simply too small.
      In 5.5 and trunk, the size is 311 + 31,
      in 5.1 and below, the size is 331
      
      
      client/sql_string.cc:
        Increase buffer size in String::set(double, ...)
      include/m_string.h:
        Increase FLOATING_POINT_BUFFER
      mysql-test/r/type_float.result:
        New test cases.
      mysql-test/t/type_float.test:
        New test cases.
      sql/sql_string.cc:
        Increase buffer size in String::set(double, ...)
      sql/unireg.h:
        Move definition of FLOATING_POINT_BUFFER
      cfcd49b4
    • Davi Arnaut's avatar
      Bug#12736295 Buffer overflow for variable converted_err with · 28e6b4ed
      Davi Arnaut authored
                   non-latin1 server error message
      
      The problem was a one byte buffer overflow in the conversion
      of a error message between character sets. Ahead of explaining
      the problem further, some background information. Before an
      error message is sent to the user, the message is converted
      to the character set specified in the character_set_results
      variable. For various reasons, this conversion might cause
      the message to increase in length -- for example, if certain
      characters can't be represented in the result character set.
      
      If the final message length is greater than the maximum allowed
      length of a error message (MYSQL_ERRMSG_SIZE), the message
      is truncated. The message is also always null-terminated
      regardless of the character set. The problem arises from this
      null-termination. If a message length reached the maximum,
      the terminating null character would be placed one byte past
      the end of the message buffer.
      
      The solution is to reserve the end of the message buffer for
      the null character.
      
      mysql-test/t/ctype_errors.test:
        Add test case for Bug#12736295.
      sql/sql_error.cc:
        The to_end pointer was actually pointing past the end of
        the buffer. Since the message is always null terminated,
        point to_end to the last position of the buffer.
      28e6b4ed
  3. 11 Jul, 2011 2 commits
    • Tor Didriksen's avatar
      merge 5.1-security => 5.5-security · c1911979
      Tor Didriksen authored
      c1911979
    • Tor Didriksen's avatar
      Bug#11765255 - 58201: VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS · 08ecbd5a
      Tor Didriksen authored
      We must allocate a larger ref_pointer_array. We failed to account for extra
      items allocated here:
      #0  find_order_in_list 
        uint el= all_fields.elements;
        all_fields.push_front(order_item); /* Add new field to field list. */
        ref_pointer_array[el]= order_item;
        order->item= ref_pointer_array + el;
      #1  setup_order
      #2  setup_without_group
      #3  JOIN::prepare
      
      
      mysql-test/r/order_by.result:
        New test case.
      mysql-test/r/union.result:
        New test case.
      mysql-test/t/order_by.test:
        New test case.
      mysql-test/t/union.test:
        New test case.
      sql/sql_lex.cc:
        find_order_in_list() may need some extra space, so multiply og_num by two.
      sql/sql_union.cc:
        For UNION, the 'n_sum_items' are accumulated in the "global_parameters" select_lex.
        This number must be propagated to setup_ref_array()
        
        When preparing a 'fake_select_lex' we need to use global_parameters->order_list
        rather than fake_select_lex->order_list (see comments inside st_select_lex_unit::cleanup)
      08ecbd5a
  4. 07 Jul, 2011 6 commits
  5. 06 Jul, 2011 1 commit
  6. 05 Jul, 2011 2 commits
  7. 04 Jul, 2011 1 commit
  8. 03 Jul, 2011 2 commits
  9. 01 Jul, 2011 2 commits
  10. 30 Jun, 2011 3 commits
  11. 29 Jun, 2011 1 commit
  12. 21 Jun, 2011 1 commit
    • Alexander Nozdrin's avatar
      Patch for Bug 12652769 - 61470: CASE OPERATOR IN STORED ROUTINE RETAINS · 8b1566aa
      Alexander Nozdrin authored
      OLD VALUE OF INPUT PARAMETER.
      
      The user-visible problem was that CASE-control-flow function
      (not CASE-statement) misbehaved in stored routines under some
      circumstances. The problem resulted in a crash or wrong data
      returned. The error happened when expressions in CASE-function
      were not of the same character set.
      
      A CASE-function should return values of the same character set
      for all branches. Internally, that means a new Item-instance
      for the CONVERT(... USING <some charset>)-function is added
      to the item tree when needed. The problem was that such changes
      were not properly recorded using THD::change_item_tree(),
      thus dangling pointers remain in the item tree after
      THD::rollback_item_tree_changes(), which lead to undefined
      behavior (i.e. crash / wrong data) for subsequent executions of
      the stored routine.
      
      This bug was introduced by a patch for Bug 11753363
      (44793 - CHARACTER SETS: CASE CLAUSE, UCS2 OR UTF32, FAILURE).
      
      The fixed function is Item_func_case::fix_length_and_dec().
      New CONVERT-items are added in agg_item_set_converter(),
      which calls THD::change_item_tree().
      
      The problem was that an intermediate array was passed
      to agg_item_set_converter(). Thus, THD::change_item_tree() there
      was called on intermediate objects.
      
      Note: those intermediate objects are allocated on THD's
      memory root, so it's Ok to put them into "changed item lists".
      
      The fix is to track changes on the correct objects.
      8b1566aa
  13. 16 Jun, 2011 7 commits
    • Georgi Kodinov's avatar
      merge 5.1-security->5.5-security · 0a07be0b
      Georgi Kodinov authored
      0a07be0b
    • Georgi Kodinov's avatar
      merge mysql-5.5->mysql-5.5-security · 5cfac860
      Georgi Kodinov authored
      5cfac860
    • Georgi Kodinov's avatar
    • Georgi Kodinov's avatar
      bad47ac6
    • Georgi Kodinov's avatar
    • Jorgen Loland's avatar
      BUG#11882110: UPDATE REPORTS ER_KEY_NOT_FOUND IF TABLE IS · 5a0e7394
      Jorgen Loland authored
                    UPDATED TWICE
      
      For multi update it is not allowed to update a column
      of a table if that table is accessed through multiple aliases
      and either
      1) the updated column is used as partitioning key
      2) the updated column is part of the primary key 
         and the primary key is clustered
      
      This check is done in unsafe_key_update().
      
      The bug was that for case 2), it was checked whether
      updated_column_number == table_share->primary_key 
      However, the primary_key variable is the index number of the 
      primary key, not a column number.
      
      Prior to this bugfix, the first column was wrongly believed to be
      the primary key. The columns covered by an index is found in
      table->key_info[idx_number]->key_part. The bugfix is to check if
      any of the columns in the keyparts of the primary key are
      updated.
      
      The user-visible effect is that for storage engines with
      clustered primary key (e.g. InnoDB but not MyISAM) queries
      like 
      "UPDATE t1 AS A JOIN t2 AS B SET A.primkey=..."
      will now error with 
      "ERROR HY000: Primary key/partition key update is not allowed 
      since the table is updated both as 'A' and 'B'." 
      instead of 
      "ERROR 1032 (HY000): Can't find record in 't1_tb'"
      even if primkey is not the first column in the table. This 
      was the intended behavior of bugfix 11764529.
      
      
      mysql-test/r/multi_update.result:
        Add test for bug#11882110
      mysql-test/r/multi_update_innodb.result:
        Add test for bug#11882110
      mysql-test/t/multi_update.test:
        Add test for bug#11882110
      mysql-test/t/multi_update_innodb.test:
        Add test for bug#11882110
      sql/sql_update.cc:
        unsafe_key_update() wrongly checked if the primary key index
        number was the same as updated column number. Now it is checked
        whether any of the columns making up the primary key is updated.
      sql/table.h:
        Fix comment on TABLE_SHARE::primary_key. Incorrect comment
        was introduced by an earlier merge conflict (as per dlenev)
      5a0e7394
    • Vinay Fisrekar's avatar
      4e4e09ea
  14. 15 Jun, 2011 4 commits