1. 29 Oct, 2010 4 commits
    • Sergey Glukhov's avatar
      5.1-security->5.5-security merge · 982b18f5
      Sergey Glukhov authored
      982b18f5
    • Sergey Glukhov's avatar
      Bug#57688 Assertion `!table || (!table->write_set || bitmap_is_set(table->write_set, field · 4a23ac20
      Sergey Glukhov authored
      Lines below which were added in the patch for Bug#56814 cause this crash:
      
      +      if (table->table)
      +        table->table->maybe_null= FALSE;
      
      Consider following test case:
      --
      CREATE TABLE t1(f1 INT NOT NULL);
      INSERT INTO t1 VALUES (16777214),(0);
      
      SELECT COUNT(*) FROM t1 LEFT JOIN t1 t2
      ON 1 WHERE t2.f1 > 1 GROUP BY t2.f1;
      
      DROP TABLE t1;
      --
      
      We set TABLE::maybe_null to FALSE for t2 table
      and in create_tmp_field() we create appropriate tmp table field
      using create_tmp_field_from_item() function instead of
      create_tmp_field_from_field. As a result we have
      LONGLONG field. As we have GROUP BY clause we calculate
      group buffer length, see calc_group_buffer().
      Item from group list which is used for calculation
      refer to the field from real tables and have LONG type.
      So group buffer length become insufficient for storing of
      LONGLONG value. It leads to overwriting of wrong memory
      area in do_field_int() function which is called from
      end_update().
      After some investigation I found out that
      create_tmp_field_from_item() is used only for OLAP
      grouping and can not be used for common grouping
      as it could be an incompatibility between tmp
      table fields and group buffer length.
      We can not remove create_tmp_field_from_item() call from
      create_tmp_field as OLAP needs it and we can not use this
      function for common grouping. So we should remove setting
      TABLE::maybe_null to FALSE from simplify_joins().
      In this case we'll get wrong behaviour of
      list_contains_unique_index() back. To fix it we
      could use Field::real_maybe_null() check instead of
      Field::maybe_null() and add addition check of
      TABLE_LIST::outer_join.
      
      
      mysql-test/r/group_by.result:
        test case
      mysql-test/r/join_outer.result:
        test case
      mysql-test/t/group_by.test:
        test case
      mysql-test/t/join_outer.test:
        test case
      sql/sql_select.cc:
        --remove wrong code
        --use Field::real_maybe_null() check instead of
          Field::maybe_null() and add addition check of
          TABLE_LIST::outer_join
      4a23ac20
    • Sergey Glukhov's avatar
      5.1-security->5.5-security · 7799c323
      Sergey Glukhov authored
      7799c323
    • Sergey Glukhov's avatar
      Bug#57194 group_concat cause crash and/or invalid memory reads with type errors · c04bf683
      Sergey Glukhov authored
      The problem is caused by bug49487 fix and became visible
      after after bug56679 fix.
      Items are cleaned up and set to unfixed state after filling derived table.
      So we can not rely on item::fixed state in Item_func_group_concat::print
      and we can not use 'args' array as items there may be cleaned up.
      The fix is always to use orig_args array of items as it
      always should contain the correct data.
      
      
      mysql-test/r/func_gconcat.result:
        test case
      mysql-test/t/func_gconcat.test:
        test case
      sql/item_sum.cc:
        The fix is always to use orig_args array of items.
      c04bf683
  2. 27 Oct, 2010 2 commits
  3. 25 Oct, 2010 2 commits
  4. 21 Oct, 2010 2 commits
  5. 18 Oct, 2010 4 commits
    • Sergey Glukhov's avatar
      5.1-security->5.5-security merge · babfc2e1
      Sergey Glukhov authored
      babfc2e1
    • Sergey Glukhov's avatar
      Bug#56814 Explain + subselect + fulltext crashes server · d0ac4e2c
      Sergey Glukhov authored
      create_sort_index() function overwrites original JOIN_TAB::type field.
      At re-execution of subquery overwritten JOIN_TAB::type(JT_ALL) is
      used instead of JT_FT. It misleads test_if_skip_sort_order() and
      the function tries to find suitable key for the order that should
      not be allowed for FULLTEXT(JT_FT) table.
      The fix is to restore JOIN_TAB strucures for subselect on re-execution
      for EXPLAIN.
      Additional fix:
      Update TABLE::maybe_null field which
      affects list_contains_unique_index() behaviour as it
      could have the value(maybe_null==TRUE) based on the
      assumption that this join is outer
      (see setup_table_map() func).
      
      
      mysql-test/r/explain.result:
        test case
      mysql-test/t/explain.test:
        test case
      sql/item_subselect.cc:
        Make subquery uncacheable in case of EXPLAIN. It allows to keep
        original JOIN_TAB::type(see JOIN::save_join_tab) and restore it
        on re-execution.
      sql/sql_select.cc:
        -restore JOIN_TAB strucures for subselect on re-execution for EXPLAIN
        -Update TABLE::maybe_null field as it could have
         the value(maybe_null==TRUE) based on the assumption
         that this join is outer(see setup_table_map() func).
         This change is not related to the crash problem but
         affects EXPLAIN results in the test case.
      d0ac4e2c
    • Sergey Glukhov's avatar
      5.1-security->5.5-security merge · 318b590b
      Sergey Glukhov authored
      318b590b
    • Sergey Glukhov's avatar
      Bug#54484 explain + prepared statement: crash and Got error -1 from storage engine · 127c721c
      Sergey Glukhov authored
      Subquery executes twice, at top level JOIN::optimize and ::execute stages.
      At first execution create_sort_index() function is called and
      FT_SELECT object is created and destroyed. HANDLER::ft_handler is cleaned up
      in the object destructor and at second execution FT_SELECT::get_next() method
      returns error.
      The fix is to reinit HANDLER::ft_handler field before re-execution of subquery.
      
      
      mysql-test/r/fulltext.result:
        test case
      mysql-test/t/fulltext.test:
        test case
      sql/item_func.cc:
        reinit ft_handler before re-execution of subquery
      sql/item_func.h:
        Fixed method name
      sql/sql_select.cc:
        reinit ft_handler before re-execution of subquery
      127c721c
  6. 17 Oct, 2010 2 commits
  7. 15 Oct, 2010 4 commits
  8. 13 Oct, 2010 1 commit
  9. 12 Oct, 2010 3 commits
    • Ramil Kalimullin's avatar
      Fix for bug#57283: inet_ntoa() crashes · b001a522
      Ramil Kalimullin authored
      Problem: some call of INET_NTOA() function may lead 
      to a crash due to missing its character set initialization.
      
      Fix: explicitly set the character set.
      
      
      mysql-test/r/func_misc.result:
        Fix for bug#57283: inet_ntoa() crashes
          - test result.
      mysql-test/t/func_misc.test:
        Fix for bug#57283: inet_ntoa() crashes
          - test case.
      sql/item_strfunc.cc:
        Fix for bug#57283: inet_ntoa() crashes
          - explicitly set buffer's character set.
      b001a522
    • Ramil Kalimullin's avatar
      Fix for bug#57272: crash in rpad() when using utf8 · 42550e21
      Ramil Kalimullin authored
      Problem: if multibyte and binary string arguments passed to 
      RPAD(), LPAD() or INSERT() functions, they might return 
      wrong results or even lead to a server crash due to missed
      character set convertion.
      
      Fix: perform the convertion if necessary.
      
      
      mysql-test/r/ctype_utf8.result:
        Fix for bug#57272: crash in rpad() when using utf8
          - test result.
      mysql-test/t/ctype_utf8.test:
        Fix for bug#57272: crash in rpad() when using utf8
          - test case.
      sql/item_strfunc.cc:
        Fix for bug#57272: crash in rpad() when using utf8
          - convert multibyte argument's character set to binary in case of
        FUNCTION(MULTIBYTE_ARG, .., BINARY_ARG,..) for RPAD(), LPAD() and 
        INSERT() functions.
      42550e21
    • Jimmy Yang's avatar
      36966a2c
  10. 11 Oct, 2010 7 commits
  11. 07 Oct, 2010 2 commits
  12. 06 Oct, 2010 7 commits