Commit c9f6fbff authored by kent@mysql.com's avatar kent@mysql.com

Merge kboortz@bk-internal.mysql.com:/home/bk/mysql-4.1

into mysql.com:/Users/kent/mysql/bk/mysql-4.1-perl
parents 75ebab78 2baf0a15
...@@ -36,6 +36,7 @@ brian@private-client-ip-101.oz.net ...@@ -36,6 +36,7 @@ brian@private-client-ip-101.oz.net
brian@zim.(none) brian@zim.(none)
carsten@tsort.bitbybit.dk carsten@tsort.bitbybit.dk
davida@isil.mysql.com davida@isil.mysql.com
dean@mysql.com
dellis@goetia.(none) dellis@goetia.(none)
dlenev@brandersnatch.localdomain dlenev@brandersnatch.localdomain
dlenev@build.mysql.com dlenev@build.mysql.com
......
...@@ -261,6 +261,10 @@ FT_INFO *ft_init_nlq_search(MI_INFO *info, uint keynr, byte *query, ...@@ -261,6 +261,10 @@ FT_INFO *ft_init_nlq_search(MI_INFO *info, uint keynr, byte *query,
} }
/*
If ndocs == 0, this will not allocate RAM for FT_INFO.doc[],
so if ndocs == 0, FT_INFO.doc[] must not be accessed.
*/
dlist=(FT_INFO *)my_malloc(sizeof(FT_INFO)+ dlist=(FT_INFO *)my_malloc(sizeof(FT_INFO)+
sizeof(FT_DOC)*(aio.dtree.elements_in_tree-1), sizeof(FT_DOC)*(aio.dtree.elements_in_tree-1),
MYF(0)); MYF(0));
...@@ -329,7 +333,8 @@ float ft_nlq_find_relevance(FT_INFO *handler, ...@@ -329,7 +333,8 @@ float ft_nlq_find_relevance(FT_INFO *handler,
else else
a=c; a=c;
} }
if (docs[a].dpos == docid) /* bounds check to avoid accessing unallocated handler->doc */
if (a < handler->ndocs && docs[a].dpos == docid)
return (float) docs[a].weight; return (float) docs[a].weight;
else else
return 0.0; return 0.0;
......
...@@ -402,6 +402,12 @@ select count(*) from t1; ...@@ -402,6 +402,12 @@ select count(*) from t1;
count(*) count(*)
1 1
drop table t1; drop table t1;
CREATE TABLE t1 ( a TEXT, FULLTEXT (a) );
INSERT INTO t1 VALUES ('testing ft_nlq_find_relevance');
SELECT MATCH(a) AGAINST ('nosuchword') FROM t1;
MATCH(a) AGAINST ('nosuchword')
0
DROP TABLE t1;
create table t1 (a int primary key, b text, fulltext(b)); create table t1 (a int primary key, b text, fulltext(b));
create table t2 (a int, b text); create table t2 (a int, b text);
insert t1 values (1, "aaaa"), (2, "bbbb"); insert t1 values (1, "aaaa"), (2, "bbbb");
......
...@@ -309,6 +309,14 @@ REPAIR TABLE t1; ...@@ -309,6 +309,14 @@ REPAIR TABLE t1;
select count(*) from t1; select count(*) from t1;
drop table t1; drop table t1;
#
# testing out of bounds memory access in ft_nlq_find_relevance()
# (bug#8522); visible in valgrind.
#
CREATE TABLE t1 ( a TEXT, FULLTEXT (a) );
INSERT INTO t1 VALUES ('testing ft_nlq_find_relevance');
SELECT MATCH(a) AGAINST ('nosuchword') FROM t1;
DROP TABLE t1;
# #
# bug#6784 # bug#6784
# mi_flush_bulk_insert (on dup key error in mi_write) # mi_flush_bulk_insert (on dup key error in mi_write)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment