Merge kaamos.(none):/data/src/opt/mysql-5.0-opt

into kaamos.(none):/data/src/opt/mysql-5.1-opt sql/field.h: Auto merged sql/item_timefunc.cc: Auto merged sql/item_timefunc.h: Auto merged sql/set_var.cc: Auto merged sql/sql_base.cc: Auto merged mysql-test/r/subselect.result: Manual merge. mysql-test/t/subselect.test: Manual merge. sql/filesort.cc: Manual merge.

Merge kaamos.(none):/data/src/opt/mysql-5.0-opt
into kaamos.(none):/data/src/opt/mysql-5.1-opt sql/field.h: Auto merged sql/item_timefunc.cc: Auto merged sql/item_timefunc.h: Auto merged sql/set_var.cc: Auto merged sql/sql_base.cc: Auto merged mysql-test/r/subselect.result: Manual merge. mysql-test/t/subselect.test: Manual merge. sql/filesort.cc: Manual merge.
1748d9b5 · unknown · 9a69f568 · e2693cfc · 1748d9b5 · 1748d9b5
Commit 1748d9b5 authored Jan 10, 2008 by unknown
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 8 deletions

mysql-test/r/subselect.result mysql-test/r/subselect.result +9 -0

mysql-test/t/subselect.test mysql-test/t/subselect.test +23 -0

sql/filesort.cc sql/filesort.cc +12 -8

No files found.
--- a/mysql-test/r/subselect.result
+++ b/mysql-test/r/subselect.result
@@ -4282,6 +4282,15 @@ SELECT 2 FROM t1 WHERE EXISTS ((SELECT 1 FROM t2 WHERE t1.a=t2.a) UNION
 ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION 
 (SELECT 1 FROM t2 WHERE t1.a = t2.a))' at line 2
 DROP TABLE t1,t2;
+create table t1(f11 int, f12 int);
+create table t2(f21 int unsigned not null, f22 int, f23 varchar(10));
+insert into t1 values(1,1),(2,2), (3, 3);
+set session sort_buffer_size= 33*1024;
+select count(*) from t1 where f12 = 
+(select f22 from t2 where f22 = f12 order by f21 desc, f22, f23 limit 1);
+count(*)
+3
+drop table t1,t2;
 End of 5.0 tests.
 CREATE TABLE t1 (a int, b int);
 INSERT INTO t1 VALUES (2,22),(1,11),(2,22);

--- a/mysql-test/t/subselect.test
+++ b/mysql-test/t/subselect.test
@@ -3136,6 +3136,28 @@ SELECT 2 FROM t1 WHERE EXISTS ((SELECT 1 FROM t2 WHERE t1.a=t2.a) UNION

 DROP TABLE t1,t2;

+#
+# Bug#33675: Usage of an uninitialized memory by filesort in a subquery
+#            caused server crash.
+#
+create table t1(f11 int, f12 int);
+create table t2(f21 int unsigned not null, f22 int, f23 varchar(10));
+insert into t1 values(1,1),(2,2), (3, 3);
+let $i=10000;
+--disable_query_log
+--disable_warnings
+while ($i)
+{
+  eval insert into t2 values (-1 , $i/5000 + 1, '$i');
+  dec $i;
+}
+--enable_warnings
+--enable_query_log
+set session sort_buffer_size= 33*1024;
+select count(*) from t1 where f12 = 
+(select f22 from t2 where f22 = f12 order by f21 desc, f22, f23 limit 1);
+
+drop table t1,t2;

 --echo End of 5.0 tests.

@@ -3165,6 +3187,7 @@ SELECT a FROM t1 t0
 SET @@sql_mode=default;
 DROP TABLE t1;

+#
 # Bug#20835 (literal string with =any values)
 #
 CREATE TABLE t1 (s1 char(1));

--- a/sql/filesort.cc
+++ b/sql/filesort.cc
@@ -37,7 +37,8 @@ if (my_b_write((file),(uchar*) (from),param->ref_length)) \

 static char **make_char_array(char **old_pos, register uint fields,
                              uint length, myf my_flag);
-static BUFFPEK *read_buffpek_from_file(IO_CACHE *buffer_file, uint count);
+static byte *read_buffpek_from_file(IO_CACHE *buffer_file, uint count,
+                                    byte *buf);
 static ha_rows find_all_keys(SORTPARAM *param,SQL_SELECT *select,
 			     uchar * *sort_keys, IO_CACHE *buffer_file,
 			     IO_CACHE *tempfile,IO_CACHE *indexfile);
@@ -244,9 +245,10 @@ ha_rows filesort(THD *thd, TABLE *table, SORT_FIELD *sortorder, uint s_length,
  }
  else
  {
-    if (!table_sort.buffpek && table_sort.buffpek_len < maxbuffer &&
-        !(table_sort.buffpek=
-          (uchar *) read_buffpek_from_file(&buffpek_pointers, maxbuffer)))
+    if (!(table_sort.buffpek=
+          (uchar *) read_buffpek_from_file(&buffpek_pointers, maxbuffer,
+                                 (table_sort.buffpek_len < maxbuffer ?
+                                  NULL : table_sort.buffpek))))
      goto err;
    buffpek= (BUFFPEK *) table_sort.buffpek;
    table_sort.buffpek_len= maxbuffer;
@@ -374,14 +376,16 @@ static char **make_char_array(char **old_pos, register uint fields,

 /* Read 'count' number of buffer pointers into memory */

-static BUFFPEK *read_buffpek_from_file(IO_CACHE *buffpek_pointers, uint count)
+static byte *read_buffpek_from_file(IO_CACHE *buffpek_pointers, uint count,
+                                    byte *buf)
 {
-  ulong length;
-  BUFFPEK *tmp;
+  ulong length= sizeof(BUFFPEK)*count;
+  byte *tmp= buf;
  DBUG_ENTER("read_buffpek_from_file");
  if (count > UINT_MAX/sizeof(BUFFPEK))
    return 0; /* sizeof(BUFFPEK)*count will overflow */
-  tmp=(BUFFPEK*) my_malloc(length=sizeof(BUFFPEK)*count, MYF(MY_WME));
+  if (!tmp)
+    tmp= (byte *)my_malloc(length, MYF(MY_WME));
  if (tmp)
  {
    if (reinit_io_cache(buffpek_pointers,READ_CACHE,0L,0,0) ||