1. 14 Nov, 2007 1 commit
  2. 12 Nov, 2007 5 commits
  3. 06 Nov, 2007 1 commit
    • unknown's avatar
      BUG#32111 - Security Breach via DATA/INDEX DIRECORY and RENAME TABLE · ff4b438b
      unknown authored
      RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites
      the file to which the symlink points.
      
      This is security issue, because it is possible to create a table with
      some name in some non-system database and set DATA/INDEX DIRECTORY
      to mysql system database. Renaming this table to one of mysql system
      tables (e.g. user, host) would overwrite the system table.
      
      Return an error when the file to which the symlink points exist.
      
      
      mysql-test/r/symlink.result:
        A test case for BUG#32111.
      mysql-test/t/symlink.test:
        A test case for BUG#32111.
      mysys/my_symlink2.c:
        Return an error when the file to which the symlink points exist.
      ff4b438b
  4. 02 Nov, 2007 8 commits
  5. 30 Oct, 2007 2 commits
    • unknown's avatar
      Merge stella.local:/home2/mydev/mysql-4.1-amain · 967c06df
      unknown authored
      into  stella.local:/home2/mydev/mysql-4.1-axmrg
      
      
      967c06df
    • unknown's avatar
      BUG#11392 - fulltext search bug · b698b6fd
      unknown authored
      Fulltext boolean mode phrase search may crash server on platforms
      where size of pointer is not equal to size of unsigned integer
      (in other words some 64-bit platforms).
      
      The problem was integer overflow.
      
      Affects 4.1 only.
      
      
      myisam/ft_boolean_search.c:
        my_match_t::beg is unsigned int, that means type of expression
        (m[0].beg - 1) has unsigned type too. It may happen that instr()
        finds substring in the beggining of passed string, returning
        m[0].beg equal to 0. In this case value of expression (m[0].beg - 1)
        is equal to MAX_UINT.
        
        This is not a problem on platforms where sizeof(pointer) equals to
        sizeof(uint). That means ptr[(uint)-1] = ptr[(uint)MAX_UINT] = ptr - 1.
        
        On some 64-bit platforms where sizeof(pointer) is 8 and sizeof(uint)
        is 4, wrong address gets accessed. In other words ptr[(uint)-1] is
        equal to ptr + MAX_UINT.
      mysql-test/r/fulltext.result:
        A test case for BUG#11392.
      mysql-test/t/fulltext.test:
        A test case for BUG#11392.
      b698b6fd
  6. 29 Oct, 2007 1 commit
  7. 25 Oct, 2007 1 commit
    • unknown's avatar
      add new trigger to prevent certain naming clashes · 80241b44
      unknown authored
      
      BitKeeper/triggers/pre-commit.check-case.pl:
        catch duplicate file names, ignoring capitalisation, mostly to avoid changesets where a deleted file foobar and a deleted file FooBar break a tree on case insensitive file systems
      80241b44
  8. 24 Oct, 2007 2 commits
    • unknown's avatar
      Merge svojtovich@bk-internal.mysql.com:/home/bk/mysql-4.1-engines · 4fda18a3
      unknown authored
      into  mysql.com:/home/svoj/devel/mysql/BUG31159/mysql-4.1-engines
      
      
      4fda18a3
    • unknown's avatar
      BUG#31159 - fulltext search on ucs2 column crashes server · 660d6626
      unknown authored
      ucs2 doesn't provide required by fulltext ctype array. Crash
      happens because fulltext attempts to use unitialized ctype
      array.
      
      Fixed by converting ucs2 fields to compatible utf8 analogue.
      
      
      include/my_sys.h:
        Added a function to find compatible character set with ctype array
        available. Currently used by fulltext search to find compatible
        substitute for ucs2 collations.
      mysql-test/r/ctype_ucs.result:
        A test case for BUG#31159.
      mysql-test/t/ctype_ucs.test:
        A test case for BUG#31159.
      mysys/charset.c:
        Added a function to find compatible character set with ctype array
        available. Currently used by fulltext search to find compatible
        substitute for ucs2 collations.
      sql/item_func.cc:
        Convert ucs2 fields to utf8. Fulltext requires ctype array, but
        ucs2 doesn't provide it.
      660d6626
  9. 23 Oct, 2007 1 commit
  10. 19 Oct, 2007 1 commit
  11. 18 Oct, 2007 2 commits
    • unknown's avatar
      Merge tnurnberg@bk-internal.mysql.com:/home/bk/mysql-4.1-opt · 78a13fa4
      unknown authored
      into  sin.intern.azundris.com:/misc/mysql/31588/41-31588
      
      
      78a13fa4
    • unknown's avatar
      Bug#31588: buffer overrun when setting variables · cd9d89a7
      unknown authored
      Buffer used when setting variables was not dimensioned to accomodate
      trailing '\0'. An overflow by one character was therefore possible.
      CS corrects limits to prevent such overflows.
      
      
      mysql-test/r/variables.result:
        Try to overflow buffer used for setting system variables.
        Unpatched server should throw a valgrind warning here.
        Actual value and error message irrelevant, only length counts.
      mysql-test/t/variables.test:
        Try to overflow buffer used for setting system variables.
      sql/set_var.cc:
        Adjust maximum number of characters we can store in 'buff' by one
        as strmake() will write a terminating '\0'.
      cd9d89a7
  12. 17 Oct, 2007 1 commit
  13. 16 Oct, 2007 1 commit
  14. 11 Oct, 2007 1 commit
    • unknown's avatar
      Fix for bug #31174: "Repair" command on MyISAM crashes with small · 1c7b80df
      unknown authored
      myisam_sort_buffer_size.
      
      An incorrect length of the sort buffer was used when calculating the
      maximum number of keys. When myisam_sort_buffer_size is small enough,
      this could result in the number of keys < number of
      BUFFPEK structures which in turn led to use of uninitialized BUFFPEKs.
      
      Fixed by correcting the buffer length calculation.
      
      
      myisam/sort.c:
        Use a correct buffer length when calculating the maximum number of keys.
        Assert that for each BUFFPEK structure there is at least one
        corresponding key. Otherwise we would fail earlier and not reach
        merge_buffers().
      mysql-test/r/repair.result:
        Added a test case for bug #31174.
      mysql-test/t/repair.test:
        Added a test case for bug #31174.
      1c7b80df
  15. 10 Oct, 2007 2 commits
  16. 05 Oct, 2007 3 commits
    • unknown's avatar
      Merge mysql.com:/home/hf/work/30955/my41-30955 · 77d786b5
      unknown authored
      into  mysql.com:/home/hf/work/30286/my41-30286
      
      
      77d786b5
    • unknown's avatar
      Merge bk@192.168.21.1:mysql-4.1-opt · c14e8c80
      unknown authored
      into  mysql.com:/home/hf/work/30286/my41-30286
      
      
      c14e8c80
    • unknown's avatar
      Bug #30286 spatial index cause corruption and server crash! · 6d54b577
      unknown authored
      As the result of DOUBLE claculations can be bigger
      than DBL_MAX constant we use in code, we shouldn't use this constatn
      as a biggest possible value.
      Particularly the rtree_pick_key function set 'min_area= DBL_MAX' relying
      that any rtree_area_increase result will be less so we return valid
      key. Though in rtree_area_increase function we calculate the area
      of the rectangle, so the result can be 'inf' if the rectangle is
      huge enough, which is bigger than DBL_MAX.
      
      Code of the rtree_pick_key modified so we always return a valid key.
      
      
      myisam/rt_index.c:
        Bug #30286 spatial index cause corruption and server crash!
        
        always set the best_key with the first key we get, so we always return
        somthing valid.
      myisam/rt_mbr.c:
        Bug #30286 spatial index cause corruption and server crash!
        
        function comment extended
      mysql-test/r/gis-rtree.result:
        Bug #30286 spatial index cause corruption and server crash!
        test result
      mysql-test/t/gis-rtree.test:
        Bug #30286 spatial index cause corruption and server crash!
        test case
      6d54b577
  17. 04 Oct, 2007 5 commits
    • unknown's avatar
      Merge tnurnberg@bk-internal.mysql.com:/home/bk/mysql-4.1-maint · b055562b
      unknown authored
      into  sin.intern.azundris.com:/home/tnurnberg/30444/41-30444
      
      
      b055562b
    • unknown's avatar
      Backport of the 5.0 patch to 4.1 · 4d0ef0cc
      unknown authored
      Bug#28878: InnoDB tables with UTF8 character set and indexes cause  wrong result for DML
      When making key reference buffers over CHAR fields whitespace (0x20) must be used to fill in the remaining space in the field's buffer. This is what Field_string::store() does. Fixed Field_string::get_key_image() to do the same.
      
      
      mysql-test/r/innodb_mysql.result:
        Bug#28878: test case
      mysql-test/t/innodb_mysql.test:
        Bug#28878: test case
      sql/field.cc:
        Bug#28878: Fill with space instead of binary zeros.
      4d0ef0cc
    • unknown's avatar
      Merge tnurnberg@bk-internal.mysql.com:/home/bk/mysql-4.1-maint · bb050c0e
      unknown authored
      into  sin.intern.azundris.com:/home/tnurnberg/30444/41-30444
      
      
      bb050c0e
    • unknown's avatar
      Bug #30444: 5.0 mysqldump silently allows wrong backup to be taken against a 4.0 database · 3f4eaf57
      unknown authored
      The combination of --single-transaction and --master-data requires
      START TRANSACTION WITH CONSISTENT SNAPSHOT which is available from
      mysqld 4.1 on. When trying this against an older server, print
      diagnostic, then, if --force is not given, abort.
      
      No test-case given since it would require a mysqld < 4.1.
      
      
      client/mysqldump.c:
        Bug #30444: 5.0 mysqldump silently allows wrong backup to be taken against a 4.0 database
        
        The combination of --single-transaction and --master-data requires
        START TRANSACTION WITH CONSISTENT SNAPSHOT which is available from
        mysqld 4.1 on. When trying this against an older server, print
        diagnostic, then, if --force is not given, abort.
      3f4eaf57
    • unknown's avatar
      Fix for bug #31069: crash in 'sounds like' · db2d3104
      unknown authored
      and for bug #31070: crash during conversion of charsets
      
      Problem: passing a 0 byte length string to some my_mb_wc_XXX() 
      functions leads to server crash due to improper argument check.
      
      Fix: properly check arguments passed to my_mb_wc_XXX() functions.
      
      
      mysql-test/include/ctype_common.inc:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - test case.
      mysql-test/r/ctype_big5.result:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - test result.
      mysql-test/r/ctype_euckr.result:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - test result.
      mysql-test/r/ctype_gb2312.result:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - test result.
      mysql-test/r/ctype_gbk.result:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - test result.
      mysql-test/r/ctype_uca.result:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - test result.
      strings/ctype-big5.c:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - check the string length before testing its first byte.
      strings/ctype-cp932.c:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - check the string length before testing its first byte.
      strings/ctype-euc_kr.c:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - check the string length before testing its first byte.
      strings/ctype-gb2312.c:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - check the string length before testing its first byte.
      strings/ctype-sjis.c:
        Fix for bug #31069: crash in 'sounds like'
        and bug #31070: crash during conversion of charsets
          - check the string length before testing its first byte.
      db2d3104
  18. 03 Oct, 2007 1 commit
    • unknown's avatar
      Bug #30955 geomfromtext() crasher. · ae3d4bfc
      unknown authored
      end-of-line check missed in Gis_read_stream::get_next_word,
      what can lead to crashes (expecially with NULL strings).
      
      End-of-line check added
      
      
      sql/gstream.cc:
        Bug #30955 geomfromtext() crasher
      mysql-test/r/gis.result:
        Bug #30955 geomfromtext() crasher.
        
        test result
      mysql-test/t/gis.test:
        Bug #30955 geomfromtext() crasher.
        
        test case
      ae3d4bfc
  19. 28 Sep, 2007 1 commit
    • unknown's avatar
      ctype-simple.c: · 5c04a99e
      unknown authored
        Avoid undefined value when negating (bug#30069)
      
      
      strings/ctype-simple.c:
        Avoid undefined value when negating (bug#30069)
      5c04a99e