A fix and test case for Bug#5194 "Bulk Insert Failures with Prepared

Statements": 
- fix a couple of net->buff overruns in libmysql,
- check in the server that statement parameter count is less than
  65535 (maximum value supported by prepared statements protocol).
 


libmysql/libmysql.c:
  Bug#5194 "Bulk Insert Failures with Prepared Statements":
  - clean up my_realloc_str()
  - ensure that net buffer has space when storing null bits and
    parameter typecodes.
sql/net_serv.cc:
  - set net->last_errno if packet is too big, even on client
    (Why was it ifdefed before?)
sql/sql_prepare.cc:
  Bug#5194 "Bulk Insert Failures with Prepared Statements":
  - if placeholder count is bigger than 65535, give error.
    We have only 2 bytes reserved for transferring placeholder count
    in 4.1 protocol.
  - can't add a proper error code and message in 4.1 because of
    possible merge difficulties."
tests/client_test.c:
  A test case for Bug#5194 "Bulk Insert Failures with Prepared 
  Statements".

libmysql/libmysql.c

@@ -1703,16 +1703,18 @@ static void stmt_update_metadata(MYSQL_STMT *stmt, MYSQL_ROWS *data);
 /**************** Misc utility functions ****************************/
 
 /*
-  Reallocate the NET package to be at least of 'length' bytes
+  Reallocate the NET package to have at least length bytes available.
 
   SYNPOSIS
-   my_realloc_str()
-   net                 The NET structure to modify
-   length              Ensure that net->buff is at least this big
+    my_realloc_str()
+    net                 The NET structure to modify.
+    length              Ensure that net->buff has space for at least
+                        this number of bytes.
 
   RETURN VALUES
-  0	ok
-  1	Error
+    0   Success.
+    1   Error, i.e. out of memory or requested packet size is bigger
+        than max_allowed_packet. The error code is stored in net->last_errno.
 */
 
 static my_bool my_realloc_str(NET *net, ulong length)
@@ -2365,7 +2367,7 @@ static my_bool store_param(MYSQL_STMT *stmt, MYSQL_BIND *param)
     */
     if ((my_realloc_str(net, *param->length)))
     {
-      set_stmt_error(stmt, CR_OUT_OF_MEMORY, unknown_sqlstate);
+      set_stmt_error(stmt, net->last_errno, unknown_sqlstate);
       DBUG_RETURN(1);
     }
     (*param->store_param_func)(net, param);
@@ -2427,6 +2429,11 @@ int cli_stmt_execute(MYSQL_STMT *stmt)
     net_clear(net);				/* Sets net->write_pos */
     /* Reserve place for null-marker bytes */
     null_count= (stmt->param_count+7) /8;
+    if (my_realloc_str(net, null_count + 1))
+    {
+      set_stmt_error(stmt, net->last_errno, unknown_sqlstate);
+      DBUG_RETURN(1);
+    }
     bzero((char*) net->write_pos, null_count);
     net->write_pos+= null_count;
     param_end= stmt->params + stmt->param_count;
@@ -2435,6 +2442,11 @@ int cli_stmt_execute(MYSQL_STMT *stmt)
     *(net->write_pos)++= (uchar) stmt->send_types_to_server;
     if (stmt->send_types_to_server)
     {
+      if (my_realloc_str(net, 2 * stmt->param_count))
+      {
+        set_stmt_error(stmt, net->last_errno, unknown_sqlstate);
+        DBUG_RETURN(1);
+      }
       /*
 	Store types of parameters in first in first package
 	that is sent to the server.

sql/net_serv.cc

@@ -193,9 +193,7 @@ my_bool net_realloc(NET *net, ulong length)
   {
     net->error= 1;
     net->report_error= 1;
-#ifdef MYSQL_SERVER
     net->last_errno= ER_OUT_OF_RESOURCES;
-#endif
     DBUG_RETURN(1);
   }
   net->buff=net->write_pos=buff;

sql/sql_prepare.cc

@@ -1475,8 +1475,16 @@ static int send_prepare_results(Prepared_statement *stmt, bool text_protocol)
 static bool init_param_array(Prepared_statement *stmt)
 {
   LEX *lex= stmt->lex;
+  THD *thd= stmt->thd;
   if ((stmt->param_count= lex->param_list.elements))
   {
+    if (stmt->param_count > (uint) UINT_MAX16)
+    {
+      /* Error code to be defined in 5.0 */
+      send_error(thd, ER_UNKNOWN_ERROR,
+                 "Prepared statement contains too many placeholders.");
+      return 1;
+    }
     Item_param **to;
     List_iterator<Item_param> param_iterator(lex->param_list);
     /* Use thd->mem_root as it points at statement mem_root */
@@ -1485,7 +1493,7 @@ static bool init_param_array(Prepared_statement *stmt)
                                   sizeof(Item_param*) * stmt->param_count);
     if (!stmt->param_array)
     {
-      send_error(stmt->thd, ER_OUT_OF_RESOURCES);
+      send_error(thd, ER_OUT_OF_RESOURCES);
       return 1;
     }
     for (to= stmt->param_array;

tests/client_test.c

@@ -10209,6 +10209,188 @@ static void test_bug5399()
 #undef NUM_OF_USED_STMT
 }
 
+
+static void test_bug5194()
+{
+  MYSQL_STMT *stmt;
+  MYSQL_BIND *bind;
+  char *query;
+  char *param_str;
+  int param_str_length;
+  const char *stmt_text;
+  int rc;
+  float float_array[250] =
+  {
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,  0.5,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,
+    0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25,  0.25
+  };
+  float *fa_ptr= float_array;
+  /* Number of columns per row */
+  const int COLUMN_COUNT= sizeof(float_array)/sizeof(*float_array);
+  /* Number of rows per bulk insert to start with */
+  const int MIN_ROWS_PER_INSERT= 260;
+  /* Max number of rows per bulk insert to end with */
+  const int MAX_ROWS_PER_INSERT= 300;
+  const int MAX_PARAM_COUNT= COLUMN_COUNT*MAX_ROWS_PER_INSERT;
+  const char *query_template= "insert into t1 values %s";
+  const int CHARS_PER_PARAM= 5; /* space needed to place ", ?" in the query */
+  const int uint16_max= 65535;
+  int nrows, i;
+
+  myheader("test_bug5194");
+
+  stmt_text= "drop table if exists t1";
+  rc= mysql_real_query(mysql, stmt_text, strlen(stmt_text));
+
+  stmt_text= "create table if not exists t1"
+   "(c1 float, c2 float, c3 float, c4 float, c5 float, c6 float, "
+   "c7 float, c8 float, c9 float, c10 float, c11 float, c12 float, "
+   "c13 float, c14 float, c15 float, c16 float, c17 float, c18 float, "
+   "c19 float, c20 float, c21 float, c22 float, c23 float, c24 float, "
+   "c25 float, c26 float, c27 float, c28 float, c29 float, c30 float, "
+   "c31 float, c32 float, c33 float, c34 float, c35 float, c36 float, "
+   "c37 float, c38 float, c39 float, c40 float, c41 float, c42 float, "
+   "c43 float, c44 float, c45 float, c46 float, c47 float, c48 float, "
+   "c49 float, c50 float, c51 float, c52 float, c53 float, c54 float, "
+   "c55 float, c56 float, c57 float, c58 float, c59 float, c60 float, "
+   "c61 float, c62 float, c63 float, c64 float, c65 float, c66 float, "
+   "c67 float, c68 float, c69 float, c70 float, c71 float, c72 float, "
+   "c73 float, c74 float, c75 float, c76 float, c77 float, c78 float, "
+   "c79 float, c80 float, c81 float, c82 float, c83 float, c84 float, "
+   "c85 float, c86 float, c87 float, c88 float, c89 float, c90 float, "
+   "c91 float, c92 float, c93 float, c94 float, c95 float, c96 float, "
+   "c97 float, c98 float, c99 float, c100 float, c101 float, c102 float, "
+   "c103 float, c104 float, c105 float, c106 float, c107 float, c108 float, "
+   "c109 float, c110 float, c111 float, c112 float, c113 float, c114 float, "
+   "c115 float, c116 float, c117 float, c118 float, c119 float, c120 float, "
+   "c121 float, c122 float, c123 float, c124 float, c125 float, c126 float, "
+   "c127 float, c128 float, c129 float, c130 float, c131 float, c132 float, "
+   "c133 float, c134 float, c135 float, c136 float, c137 float, c138 float, "
+   "c139 float, c140 float, c141 float, c142 float, c143 float, c144 float, "
+   "c145 float, c146 float, c147 float, c148 float, c149 float, c150 float, "
+   "c151 float, c152 float, c153 float, c154 float, c155 float, c156 float, "
+   "c157 float, c158 float, c159 float, c160 float, c161 float, c162 float, "
+   "c163 float, c164 float, c165 float, c166 float, c167 float, c168 float, "
+   "c169 float, c170 float, c171 float, c172 float, c173 float, c174 float, "
+   "c175 float, c176 float, c177 float, c178 float, c179 float, c180 float, "
+   "c181 float, c182 float, c183 float, c184 float, c185 float, c186 float, "
+   "c187 float, c188 float, c189 float, c190 float, c191 float, c192 float, "
+   "c193 float, c194 float, c195 float, c196 float, c197 float, c198 float, "
+   "c199 float, c200 float, c201 float, c202 float, c203 float, c204 float, "
+   "c205 float, c206 float, c207 float, c208 float, c209 float, c210 float, "
+   "c211 float, c212 float, c213 float, c214 float, c215 float, c216 float, "
+   "c217 float, c218 float, c219 float, c220 float, c221 float, c222 float, "
+   "c223 float, c224 float, c225 float, c226 float, c227 float, c228 float, "
+   "c229 float, c230 float, c231 float, c232 float, c233 float, c234 float, "
+   "c235 float, c236 float, c237 float, c238 float, c239 float, c240 float, "
+   "c241 float, c242 float, c243 float, c244 float, c245 float, c246 float, "
+   "c247 float, c248 float, c249 float, c250 float)";
+  rc= mysql_real_query(mysql, stmt_text, strlen(stmt_text));
+  myquery(rc);
+
+  bind= (MYSQL_BIND*) malloc(MAX_PARAM_COUNT * sizeof(MYSQL_BIND));
+  query= (char*) malloc(strlen(query_template) +
+                        MAX_PARAM_COUNT * CHARS_PER_PARAM + 1);
+  param_str= (char*) malloc(COLUMN_COUNT * CHARS_PER_PARAM);
+
+  if (bind == 0 || query == 0 || param_str == 0)
+  {
+    fprintf(stderr, "Can't allocate enough memory for query structs\n");
+    return;
+  }
+
+  stmt= mysql_stmt_init(mysql);
+
+  /* setup a template for one row of parameters */
+  sprintf(param_str, "(");
+  for (i= 1; i < COLUMN_COUNT; ++i)
+    strcat(param_str, "?, ");
+  strcat(param_str, "?)");
+  param_str_length= strlen(param_str);
+
+  /* setup bind array */
+  bzero(bind, MAX_PARAM_COUNT * sizeof(MYSQL_BIND));
+  for (i= 0; i < MAX_PARAM_COUNT; ++i)
+  {
+    bind[i].buffer_type= MYSQL_TYPE_FLOAT;
+    bind[i].buffer= fa_ptr;
+    if (++fa_ptr == float_array + COLUMN_COUNT)
+      fa_ptr= float_array;
+  }
+
+  /*
+    Test each number of rows per bulk insert, so that we can see where
+    MySQL fails.
+  */
+  for (nrows= MIN_ROWS_PER_INSERT; nrows <= MAX_ROWS_PER_INSERT; ++nrows)
+  {
+    char *query_ptr;
+    /* Create statement text for current number of rows */
+    sprintf(query, query_template, param_str);
+    query_ptr= query + strlen(query);
+    for (i= 1; i < nrows; ++i)
+    {
+      memcpy(query_ptr, ", ", 2);
+      query_ptr+= 2;
+      memcpy(query_ptr, param_str, param_str_length);
+      query_ptr+= param_str_length;
+    }
+    *query_ptr= '\0';
+
+    rc= mysql_stmt_prepare(stmt, query, query_ptr - query);
+    if (rc && nrows * COLUMN_COUNT > uint16_max)
+    {
+      printf("Failed to prepare a statement with %d placeholders "
+             "(as expected).\n", nrows * COLUMN_COUNT);
+      break;
+    }
+    else
+      check_execute(stmt, rc);
+
+    printf("Insert: query length= %d, row count= %d, param count= %lu\n",
+           strlen(query), nrows, mysql_stmt_param_count(stmt));
+
+    /* bind the parameter array and execute the query */
+    rc= mysql_stmt_bind_param(stmt, bind);
+    check_execute(stmt, rc);
+
+    rc= mysql_stmt_execute(stmt);
+    check_execute(stmt, rc);
+  }
+
+  mysql_stmt_close(stmt);
+  free(bind);
+  free(query);
+  free(param_str);
+  stmt_text= "drop table t1";
+  rc= mysql_real_query(mysql, stmt_text, strlen(stmt_text));
+  myquery(rc);
+}
+
+
 /*
   Read and parse arguments and MySQL options from my.cnf
 */
@@ -10511,6 +10693,7 @@ int main(int argc, char **argv)
                                dates in the server */
     test_bug5399();         /* check that statement id uniquely identifies
                                statement */
+    test_bug5194();         /* bulk inserts in prepared mode */
     /*
       XXX: PLEASE RUN THIS PROGRAM UNDER VALGRIND AND VERIFY THAT YOUR TEST
       DOESN'T CONTAIN WARNINGS/ERRORS BEFORE YOU PUSH.