1. 26 Nov, 2010 2 commits
  2. 25 Nov, 2010 1 commit
  3. 24 Nov, 2010 8 commits
    • Gleb Shchepa's avatar
      backport of bug #54461 from 5.1-security to 5.0-security · e86ae7d4
      Gleb Shchepa authored
       > revision-id: gshchepa@mysql.com-20100801181236-uyuq6ewaq43rw780
       > parent: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l
       > committer: Gleb Shchepa <gshchepa@mysql.com>
       > branch nick: mysql-5.1-security
       > timestamp: Sun 2010-08-01 22:12:36 +0400
       > Bug #54461: crash with longblob and union or update with subquery
       >
       > Queries may crash, if
       >   1) the GREATEST or the LEAST function has a mixed list of
       >      numeric and LONGBLOB arguments and
       >   2) the result of such a function goes through an intermediate
       >      temporary table.
       >
       > An Item that references a LONGBLOB field has max_length of
       > UINT_MAX32 == (2^32 - 1).
       >
       > The current implementation of GREATEST/LEAST returns REAL
       > result for a mixed list of numeric and string arguments (that
       > contradicts with the current documentation, this contradiction
       > was discussed and it was decided to update the documentation).
       >
       > The max_length of such a function call was calculated as a
       > maximum of argument max_length values (i.e. UINT_MAX32).
       >
       > That max_length value of UINT_MAX32 was used as a length for
       > the intermediate temporary table Field_double to hold
       > GREATEST/LEAST function result.
       >
       > The Field_double::val_str() method call on that field
       > allocates a String value.
       >
       > Since an allocation of String reserves an additional byte
       > for a zero-termination, the size of String buffer was
       > set to (UINT_MAX32 + 1), that caused an integer overflow:
       > actually, an empty buffer of size 0 was allocated.
       >
       > An initialization of the "first" byte of that zero-size
       > buffer with '\0' caused a crash.
       >
       > The Item_func_min_max::fix_length_and_dec() has been
       > modified to calculate max_length for the REAL result like
       > we do it for arithmetical operators.
      
      
      mysql-test/r/func_misc.result:
        Test case for bug #54461.
      mysql-test/t/func_misc.test:
        Test case for bug #54461.
      sql/item_func.cc:
        Bug #54461: crash with longblob and union or update with subquery
        
        The Item_func_min_max::fix_length_and_dec() has been
        modified to calculate max_length for the REAL result like
        we do it for arithmetical operators.
      e86ae7d4
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-security. · bd409074
      Alexander Nozdrin authored
      bd409074
    • Alexander Nozdrin's avatar
      A follow-up for Bug#58339 (Replace Server GPL README file). · de0b1516
      Alexander Nozdrin authored
      Fix formatting issues in README file.
      de0b1516
    • Alexander Nozdrin's avatar
      Empty merge from mysql-5.0-security. · 818f5bb7
      Alexander Nozdrin authored
      818f5bb7
    • Alexander Nozdrin's avatar
      Merge from mysql-5.1-bugteam. · bd28198c
      Alexander Nozdrin authored
      bd28198c
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-bugteam. · 0bce784b
      Alexander Nozdrin authored
      0bce784b
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-bugteam. · 259035e4
      Alexander Nozdrin authored
      259035e4
    • Alexander Nozdrin's avatar
      A follow-up for Bug#58340 (Remove Server GPL EXCEPTIONS-CLIENT file) -- remove all · 7368bb13
      Alexander Nozdrin authored
      EXCEPTIONS-CLIENT from all the places.
      7368bb13
  4. 23 Nov, 2010 4 commits
    • Ramil Kalimullin's avatar
      binlog.binlog_row_failure_mixing_engines test disabled. · c1c7278c
      Ramil Kalimullin authored
      See bug #58416.
      c1c7278c
    • Ramil Kalimullin's avatar
      Auto-merge with mysql-5.1-bugteam. · e905f472
      Ramil Kalimullin authored
      e905f472
    • Ramil Kalimullin's avatar
      Auto-merge with mysql-5.0-bugteam. · 5be8df48
      Ramil Kalimullin authored
      5be8df48
    • Sergey Glukhov's avatar
      Bug#56862 Execution of a query that uses index merge returns a wrong result · fb8b67cb
      Sergey Glukhov authored
      In case of low memory sort buffer QUICK_INDEX_MERGE_SELECT creates
      temporary file where is stores row ids which meet QUICK_SELECT ranges
      except of clustered pk range, clustered range is processed separately.
      In init_read_record we check if temporary file is used and choose
      appropriate record access method. It does not take into account that
      temporary file contains partial result in case of QUICK_INDEX_MERGE_SELECT
      with clustered pk range.
      The fix is always to use rr_quick if QUICK_INDEX_MERGE_SELECT
      with clustered pk range is used.
      
      
      mysql-test/suite/innodb/r/innodb_mysql.result:
        test case
      mysql-test/suite/innodb/t/innodb_mysql.test:
        test case
      mysql-test/suite/innodb_plugin/r/innodb_mysql.result:
        test case
      mysql-test/suite/innodb_plugin/t/innodb_mysql.test:
        test case
      sql/opt_range.h:
        added new method
      sql/records.cc:
        The fix is always to use rr_quick if QUICK_INDEX_MERGE_SELECT
        with clustered pk range is used.
      fb8b67cb
  5. 22 Nov, 2010 7 commits
    • Gleb Shchepa's avatar
      empty upmerge after backport of bug 55568 · c360911c
      Gleb Shchepa authored
      5.0-security --> 5.1-security
      c360911c
    • Gleb Shchepa's avatar
      backport: Bug #55568 from 5.1-security to 5.0-security · 21a33fa0
      Gleb Shchepa authored
      > revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h
      > parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53
      > committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
      > branch nick: 5.1-security
      > timestamp: Tue 2010-08-24 14:35:48 +0400
      > message:
      >   Bug #55568: user variable assignments crash server when used
      >               within query
      >   
      >   The server could crash after materializing a derived table
      >   which requires a temporary table for grouping.
      >   
      >   When destroying the temporary table used to execute a query for
      >   a derived table, JOIN::destroy() did not clean up Item_fields
      >   pointing to fields in the temporary table. This led to
      >   dereferencing a dangling pointer when printing out the items
      >   tree later in the outer SELECT.
      >   
      >   The solution is an addendum to the patch for bug37362: in
      >   addition to cleaning up items in tmp_all_fields3, do the same
      >   for items in tmp_all_fields1, since now we have an example
      >   where this is necessary.
      
      
      sql/field.cc:
        Make sure field->table_name is not set to NULL in
        Field::make_field() to avoid assertion failure in 
        Item_field::make_field() after cleaning up items
        (the assertion fired in udf.test when running
        the test suite with the patch applied).
      sql/sql_select.cc:
        In addition to cleaning up items in tmp_all_fields3, do the
        same for items in tmp_all_fields1.
        Introduce a new helper function to avoid code duplication.
      sql/sql_select.h:
        Introduce a new helper function to avoid code duplication in
        JOIN::destroy().
      21a33fa0
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-bugteam. · cef07f7d
      Alexander Nozdrin authored
      cef07f7d
    • Alexander Nozdrin's avatar
    • Alexander Nozdrin's avatar
    • Ramil Kalimullin's avatar
      Manual-merge from mysql-5.1-bugteam. · bbcad9b8
      Ramil Kalimullin authored
      bbcad9b8
    • Guilhem Bichot's avatar
      Fix for Bug#56138 "valgrind errors about overlapping memory when double-assigning same variable", · b1a542be
      Guilhem Bichot authored
      and related small fixes.
      
      mysql-test/t/user_var.test:
        test for bug
      sql/field_conv.cc:
        From the C standard, memcpy() has undefined behaviour if to->ptr==from->ptr
      sql/item_func.cc:
        In the case of BUG#56138, entry->value==ptr in which case memcpy()
        has undefined results per the C standard.
      sql/sql_select.cc:
        Work around a bug in old gcc
      b1a542be
  6. 20 Nov, 2010 1 commit
  7. 18 Nov, 2010 1 commit
    • Georgi Kodinov's avatar
      Bug #50021: Windows standard configuration files are showing Linux · 4011015f
      Georgi Kodinov authored
       options/settings
       
       1. Changed the default value for socket on Windows to the windows
       default
       2. Removed hard-coded trailing slashes from innodb_data_home_dir
       and innodb_log_group_name_dir.
       3. Added extra backslashes to the innodb directory example
       4. Made the tempdir platform "dependent"
       5. Fixed the comments in the .ini files
       6. Removed the tmpdir from the templates and the scripts
      4011015f
  8. 19 Nov, 2010 1 commit
  9. 18 Nov, 2010 6 commits
  10. 17 Nov, 2010 3 commits
    • Bjorn Munch's avatar
      Bug #58257 mysqltest: in if(), ! $var with space is always false · 69f2d932
      Bjorn Munch authored
      Evaluation would start with the space and thus ignore the $
      Added while() to skip past white space
      69f2d932
    • Davi Arnaut's avatar
      Bug#57994: Compiler flag change build error : my_redel.c · 1f128a12
      Davi Arnaut authored
      Use __builtin_stpcpy only if the system supports stpcpy.
      This is necessary as in some cases a call to stpcpy will
      be emitted if the built-in can not optimized.
      
      include/m_string.h:
        The expansion of stpcpy (in glibc) causes warnings if the
        return value of strmov is not being used. Since stpcpy is
        a GNU extension and the expansion ends up using a built-in
        provided by GCC, use the compiler provided built-in directly
        when possible. Nonetheless, the C library must have stpcpy
        as a call be emitted if the built-in can not optimized.
      1f128a12
    • Mattias Jonsson's avatar
      post-push fix, backported --replace_result patch · 366e6411
      Mattias Jonsson authored
      for --list_files in mysqltest.
      
      client/mysqltest.cc:
        Backported --replace_result for --list_files.
      mysql-test/r/mysqltest.result:
        updated test.
      mysql-test/t/mysqltest.test:
        added test for replace_result on list_files.
      366e6411
  11. 15 Nov, 2010 3 commits
  12. 14 Nov, 2010 1 commit
  13. 12 Nov, 2010 1 commit
    • Alexander Barkov's avatar
      Bug#58005 utf8 + get_format causes failed assertion: !str || str != Ptr' · 529e49f5
      Alexander Barkov authored
      Problem: When GET_FORMAT() is called two times from the upper
      level function (e.g. LEAST in the bug report), on the second
      call "res= args[0]->val_str(...)" and str point to the same
      String object.
      
      1. Fix: changing the order from
      - get val_str into tmp_value then convert to str
      to
      - get val_str into str then convert to tmp_value
      
      The new order is more correct: the purpose of "str" parameter
      is exactly to call val_str() for arguments.
      The purpose of String class members (like tmp_value) is to do further
      actions on the result.
      Doing it in the other way around give unexpected surprises.
      
      2. Using str_value instead of str to do padding, for the same reason.
      529e49f5
  14. 11 Nov, 2010 1 commit