- 26 Nov, 2010 2 commits
-
-
Gleb Shchepa authored
-
unknown authored
-
- 25 Nov, 2010 1 commit
-
-
Georgi Kodinov authored
-
- 24 Nov, 2010 8 commits
-
-
Gleb Shchepa authored
> revision-id: gshchepa@mysql.com-20100801181236-uyuq6ewaq43rw780 > parent: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l > committer: Gleb Shchepa <gshchepa@mysql.com> > branch nick: mysql-5.1-security > timestamp: Sun 2010-08-01 22:12:36 +0400 > Bug #54461: crash with longblob and union or update with subquery > > Queries may crash, if > 1) the GREATEST or the LEAST function has a mixed list of > numeric and LONGBLOB arguments and > 2) the result of such a function goes through an intermediate > temporary table. > > An Item that references a LONGBLOB field has max_length of > UINT_MAX32 == (2^32 - 1). > > The current implementation of GREATEST/LEAST returns REAL > result for a mixed list of numeric and string arguments (that > contradicts with the current documentation, this contradiction > was discussed and it was decided to update the documentation). > > The max_length of such a function call was calculated as a > maximum of argument max_length values (i.e. UINT_MAX32). > > That max_length value of UINT_MAX32 was used as a length for > the intermediate temporary table Field_double to hold > GREATEST/LEAST function result. > > The Field_double::val_str() method call on that field > allocates a String value. > > Since an allocation of String reserves an additional byte > for a zero-termination, the size of String buffer was > set to (UINT_MAX32 + 1), that caused an integer overflow: > actually, an empty buffer of size 0 was allocated. > > An initialization of the "first" byte of that zero-size > buffer with '\0' caused a crash. > > The Item_func_min_max::fix_length_and_dec() has been > modified to calculate max_length for the REAL result like > we do it for arithmetical operators. mysql-test/r/func_misc.result: Test case for bug #54461. mysql-test/t/func_misc.test: Test case for bug #54461. sql/item_func.cc: Bug #54461: crash with longblob and union or update with subquery The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators.
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
Fix formatting issues in README file.
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
EXCEPTIONS-CLIENT from all the places.
-
- 23 Nov, 2010 4 commits
-
-
Ramil Kalimullin authored
See bug #58416.
-
Ramil Kalimullin authored
-
Ramil Kalimullin authored
-
Sergey Glukhov authored
In case of low memory sort buffer QUICK_INDEX_MERGE_SELECT creates temporary file where is stores row ids which meet QUICK_SELECT ranges except of clustered pk range, clustered range is processed separately. In init_read_record we check if temporary file is used and choose appropriate record access method. It does not take into account that temporary file contains partial result in case of QUICK_INDEX_MERGE_SELECT with clustered pk range. The fix is always to use rr_quick if QUICK_INDEX_MERGE_SELECT with clustered pk range is used. mysql-test/suite/innodb/r/innodb_mysql.result: test case mysql-test/suite/innodb/t/innodb_mysql.test: test case mysql-test/suite/innodb_plugin/r/innodb_mysql.result: test case mysql-test/suite/innodb_plugin/t/innodb_mysql.test: test case sql/opt_range.h: added new method sql/records.cc: The fix is always to use rr_quick if QUICK_INDEX_MERGE_SELECT with clustered pk range is used.
-
- 22 Nov, 2010 7 commits
-
-
Gleb Shchepa authored
5.0-security --> 5.1-security
-
Gleb Shchepa authored
> revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h > parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53 > committer: Alexey Kopytov <Alexey.Kopytov@Sun.com> > branch nick: 5.1-security > timestamp: Tue 2010-08-24 14:35:48 +0400 > message: > Bug #55568: user variable assignments crash server when used > within query > > The server could crash after materializing a derived table > which requires a temporary table for grouping. > > When destroying the temporary table used to execute a query for > a derived table, JOIN::destroy() did not clean up Item_fields > pointing to fields in the temporary table. This led to > dereferencing a dangling pointer when printing out the items > tree later in the outer SELECT. > > The solution is an addendum to the patch for bug37362: in > addition to cleaning up items in tmp_all_fields3, do the same > for items in tmp_all_fields1, since now we have an example > where this is necessary. sql/field.cc: Make sure field->table_name is not set to NULL in Field::make_field() to avoid assertion failure in Item_field::make_field() after cleaning up items (the assertion fired in udf.test when running the test suite with the patch applied). sql/sql_select.cc: In addition to cleaning up items in tmp_all_fields3, do the same for items in tmp_all_fields1. Introduce a new helper function to avoid code duplication. sql/sql_select.h: Introduce a new helper function to avoid code duplication in JOIN::destroy().
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
-
Alexander Nozdrin authored
-
Ramil Kalimullin authored
-
Guilhem Bichot authored
and related small fixes. mysql-test/t/user_var.test: test for bug sql/field_conv.cc: From the C standard, memcpy() has undefined behaviour if to->ptr==from->ptr sql/item_func.cc: In the case of BUG#56138, entry->value==ptr in which case memcpy() has undefined results per the C standard. sql/sql_select.cc: Work around a bug in old gcc
-
- 20 Nov, 2010 1 commit
-
-
Davi Arnaut authored
Although ICC identifies itself as GCC, even in version numbers, it does not support the stpcpy built-in. include/m_string.h: Work around ICC. Hacks...
-
- 18 Nov, 2010 1 commit
-
-
Georgi Kodinov authored
options/settings 1. Changed the default value for socket on Windows to the windows default 2. Removed hard-coded trailing slashes from innodb_data_home_dir and innodb_log_group_name_dir. 3. Added extra backslashes to the innodb directory example 4. Made the tempdir platform "dependent" 5. Fixed the comments in the .ini files 6. Removed the tmpdir from the templates and the scripts
-
- 19 Nov, 2010 1 commit
-
-
Bjorn Munch authored
-
- 18 Nov, 2010 6 commits
-
-
unknown authored
-
Vasil Dimov authored
-
Vasil Dimov authored
-
Alexander Barkov authored
Problem: crash in Item_float constructor on DBUG_ASSERT due to not null-terminated string parameter. Fix: making Item_float::Item_float non-null-termintated parameter safe: - Using temporary buffer when generating error modified: @ mysql-test/r/xml.result @ mysql-test/t/xml.test @ sql/item.cc
-
Ramil Kalimullin authored
-
Sergey Glukhov authored
ESCAPE argument might be empty string. It leads to server crash under some circumstances. The fix: -added check if ESCAPE argument result is not empty string mysql-test/r/ctype_latin1.result: test case mysql-test/t/ctype_latin1.test: test case sql/item_cmpfunc.cc: -added check if ESCAPE argument result is not empty string
-
- 17 Nov, 2010 3 commits
-
-
Bjorn Munch authored
Evaluation would start with the space and thus ignore the $ Added while() to skip past white space
-
Davi Arnaut authored
Use __builtin_stpcpy only if the system supports stpcpy. This is necessary as in some cases a call to stpcpy will be emitted if the built-in can not optimized. include/m_string.h: The expansion of stpcpy (in glibc) causes warnings if the return value of strmov is not being used. Since stpcpy is a GNU extension and the expansion ends up using a built-in provided by GCC, use the compiler provided built-in directly when possible. Nonetheless, the C library must have stpcpy as a call be emitted if the built-in can not optimized.
-
Mattias Jonsson authored
for --list_files in mysqltest. client/mysqltest.cc: Backported --replace_result for --list_files. mysql-test/r/mysqltest.result: updated test. mysql-test/t/mysqltest.test: added test for replace_result on list_files.
-
- 15 Nov, 2010 3 commits
-
-
Mattias Jonsson authored
-
Mattias Jonsson authored
-
Bjorn Munch authored
Results from query is sent for evaluation Break recursion by asking for ` to be ignored
-
- 14 Nov, 2010 1 commit
-
-
Bjorn Munch authored
-
- 12 Nov, 2010 1 commit
-
-
Alexander Barkov authored
Problem: When GET_FORMAT() is called two times from the upper level function (e.g. LEAST in the bug report), on the second call "res= args[0]->val_str(...)" and str point to the same String object. 1. Fix: changing the order from - get val_str into tmp_value then convert to str to - get val_str into str then convert to tmp_value The new order is more correct: the purpose of "str" parameter is exactly to call val_str() for arguments. The purpose of String class members (like tmp_value) is to do further actions on the result. Doing it in the other way around give unexpected surprises. 2. Using str_value instead of str to do padding, for the same reason.
-
- 11 Nov, 2010 1 commit
-
-
Marko Mäkelä authored
thr_local_create(): Initialize local->slot_no to ULINT_UNDEFINED. thr_local_validate(): Allow local->slot_no to be ULINT_UNDEFINED.
-