1. 11 Oct, 2006 5 commits
  2. 09 Oct, 2006 2 commits
    • unknown's avatar
      Merge bk-internal.mysql.com:/home/bk/mysql-4.1-maint · 41237151
      unknown authored
      into  zippy.cornsilk.net:/home/cmiller/work/mysql/bug17583/my41-bug17583
      
      
      client/mysql.cc:
        Auto merged
      41237151
    • unknown's avatar
      Bug#17583: mysql drops connection when stdout is not writable · 8af12677
      unknown authored
      When the client program had its stdout file descriptor closed by the calling
      shell, after some amount of work (enough to fill a socket buffer) the server 
      would complain about a packet error and then disconnect the client.
      
      This is a serious security problem.  If stdout is closed before the mysql is
      exec()d, then the first socket() call allocates file number 1 to communicate
      with the server.  Subsequent write()s to that file number (as when printing
      results that come back from the database) go back to the server instead in 
      the command channel.  So, one should be able to craft data which, upon being
      selected back from the server to the client, and injected into the command
      stream become valid MySQL protocol to do something nasty when sent /back/ to 
      the server.
      
      The solution is to close explicitly the file descriptor that we *printf() to, 
      so that the libc layer and the OS layer both agree that the file is closed.
      
      
      BitKeeper/etc/collapsed:
        BitKeeper file /home/cmiller/work/mysql/bug17583/my41-bug17583/BitKeeper/etc/collapsed
      client/mysql.cc:
        If standard output is not open (specifically, if dup() of its file number 
        fails) then we explicitly close it so that future uses of the file descriptor
        behave correctly for a closed file.
      mysql-test/r/mysql_client.result:
        Prove that the problem of writing SQL output to the command socket no longer
        exists.
      mysql-test/t/mysql_client.test:
        Prove that the problem of writing SQL output to the command socket no longer
        exists.
      8af12677
  3. 04 Oct, 2006 2 commits
    • unknown's avatar
      Merge rolltop.ignatz42.dyndns.org:/mnt/storeage/bug19660/my41-bug19660 · d5172cff
      unknown authored
      into  rolltop.ignatz42.dyndns.org:/mnt/storeage/mysql-4.1-maint
      
      
      client/mysqldump.c:
        Auto merged
      d5172cff
    • unknown's avatar
      Fixes a number of problems with time/datetime <-> string conversion functions: · f29045b4
      unknown authored
      - bug #11655 "Wrong time is returning from nested selects - maximum time exists
      - input and output TIME values were not validated properly in several conversion functions
      - bug #20927 "sec_to_time treats big unsigned as signed"
      - integer overflows were not checked in several functions. As a result, input values like 2^32 or 3600*2^32 were treated as 0
      - BIGINT UNSIGNED values were treated as SIGNED in several functions
      - in cases where both input string truncation and out-of-range TIME value occur, only 'truncated incorrect time value' warning was produced
      
      
      include/my_time.h:
        Added defines for the TIME limits
        Added defines for the warning flags set by str_to_time() and check_time_range()
        Added check_time_range() declaration
      mysql-test/r/func_sapdb.result:
        Fixed testcases which relied on incorrect TIMEDIFF() behaviour
      mysql-test/r/func_time.result:
        Fixed testcase which relied on incorrect behaviour
        Added testcases for out-of-range values in SEC_TO_TIME(), TIME_TO_SEC(), ADDTIME(), SUBTIME() and EXTRACT()
      mysql-test/t/func_time.test:
        Added testcases for out-of-range values in SEC_TO_TIME(), TIME_TO_SEC(), ADDTIME(), SUBTIME() and EXTRACT()
      sql-common/my_time.c:
        Added check_time_range() to be used from str_to_time() and item_timefunc.cc
        Added new out-of-range flag to str_to_time() warnings
        Use '%u' instead of '%d' in my_*_to_str() because the arguments are unsigned
      sql/field.cc:
        Replaced out-of-range checks with checks for flags returned by str_to_time()
      sql/item_timefunc.cc:
        Added wrappers over make_datetime() and make_time() which perform out-of-range checks on input values
        Moved common code in Item_func_sec_to_time::val_str() and Item_func_sec_to_time::val_int() into a separate function sec_to_time()
        Replaced calls to make_datetime() with make_datetime_with_warn() in Item_func_add_time and Item_func_timediff
        Checks for 'unsigned int' overflows in Item_func_maketime
        Use make_time_with_warn() instead of make_time() in Item_func_maketime
        Fixed incorrect sizeof() in Item_func_str_to_date::get_time()
      sql/time.cc:
        Check for return value of str_to_time() along with warning flags
      f29045b4
  4. 03 Oct, 2006 8 commits
  5. 02 Oct, 2006 13 commits
  6. 30 Sep, 2006 3 commits
  7. 29 Sep, 2006 5 commits
  8. 28 Sep, 2006 2 commits
    • unknown's avatar
      Merge rolltop.ignatz42.dyndns.org:/mnt/storeage/bug20305/my41-bug20305 · 6c8588a3
      unknown authored
      into  rolltop.ignatz42.dyndns.org:/mnt/storeage/mysql-4.1-maint
      
      6c8588a3
    • unknown's avatar
      Fix for bug#22338 "Valgrind warning: uninitialized variable in · 3385bda9
      unknown authored
      create_tmp_table()".
      
      The fix for bug 21787 "COUNT(*) + ORDER BY + LIMIT returns wrong
      result" introduced valgrind warnings which occured during execution
      of information_schema.test and sp-prelocking.test in version 5.0.
      There were no user visible effects.
      
      The latter fix made create_tmp_table() dependant on
      THD::lex::current_select value. Valgrind warnings occured when this
      function was executed and THD::lex::current_select member pointed
      to uninitialized SELECT_LEX instance.
      
      This fix tries to remove this dependancy by moving some logic
      outside of create_tmp_table() function.
      
      
      sql/sql_select.cc:
        create_tmp_table():
          Moved code which is responsible for determining if optimization
          which pushes down LIMIT clause to temporary table creation is
          applicable out of this function.
          Such move made this function independant of THD::lex::current_select
          value and removed valgrind warnings which occured in cases when this
          member pointed to uninitialized SELECT_LEX object (particularly these
          warnings occured in sp-prelocking.test and information_schema.test
          in 5.0). This seems like a better solution than trying to force this
          pointer always to point to relevant select because:
          - In some cases when we use create_tmp_table() there are no relevant
            SELECT_LEX object (we use it just to create temporary table/object).
          - There is only one place in code where we call this funciton and
            where this optimization can be enabled. And in this place we
            already have some logic which tries to determine if it is applicable.
      3385bda9