From: Martin Hansson Date: December 14 2010 10:37am Subject: bzr commit into mysql-5.1-bugteam branch (martin.hansson:3520) Bug#58207 List-Archive: http://lists.mysql.com/commits/126738 X-Bug: 58207 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1890567484==" --===============1890567484== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///data0/martin/bzrroot/bug58207/5.1bt-minimal_fix/ based on revid:tor.didriksen@stripped 3520 Martin Hansson 2010-12-14 Bug#58207: invalid memory reads when using default column value and tmptable needed The function DEFAULT() works by modifying the the data buffer pointers (often referred to as 'record' or 'table record') of its argument. This modification is done during name resolution (fix_fields().) Unfortunately, the same modification is done when creating a temporary table, because default values need to propagate to the new table. Fixed by skipping the pointer modification for fields that are arguments to the DEFAULT function. modified: mysql-test/r/subselect4.result mysql-test/t/subselect4.test sql/sql_select.cc === modified file 'mysql-test/r/subselect4.result' --- a/mysql-test/r/subselect4.result 2010-09-07 09:21:09 +0000 +++ b/mysql-test/r/subselect4.result 2010-12-14 10:37:00 +0000 @@ -164,5 +164,22 @@ a b 2 NULL DROP TABLE t1, t2, t3, t4, t5; # +# Bug#58207: invalid memory reads when using default column value and +# tmptable needed +# +CREATE TABLE t1( a CHAR(1) DEFAULT 'a' ); +CREATE TABLE t2( a CHAR(245) DEFAULT 'a' ); +INSERT INTO t1 VALUES ('b'), ('c'); +INSERT INTO t2 VALUES ('b'), ('c'); +SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11; +DEFAULT(a) +a +a +SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21; +b +a +a +DROP TABLE t1, t2; +# # End of 5.1 tests. # === modified file 'mysql-test/t/subselect4.test' --- a/mysql-test/t/subselect4.test 2010-09-07 09:21:09 +0000 +++ b/mysql-test/t/subselect4.test 2010-12-14 10:37:00 +0000 @@ -136,6 +136,21 @@ SELECT * FROM t1 WHERE NULL NOT IN ( SEL DROP TABLE t1, t2, t3, t4, t5; +--echo # +--echo # Bug#58207: invalid memory reads when using default column value and +--echo # tmptable needed +--echo # +CREATE TABLE t1( a CHAR(1) DEFAULT 'a' ); +CREATE TABLE t2( a CHAR(245) DEFAULT 'a' ); + +INSERT INTO t1 VALUES ('b'), ('c'); +INSERT INTO t2 VALUES ('b'), ('c'); + +SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11; + +SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21; + +DROP TABLE t1, t2; --echo # --echo # End of 5.1 tests. === modified file 'sql/sql_select.cc' --- a/sql/sql_select.cc 2010-11-26 12:51:48 +0000 +++ b/sql/sql_select.cc 2010-12-14 10:37:00 +0000 @@ -9816,7 +9816,12 @@ Field *create_tmp_field(THD *thd, TABLE convert_blob_length); if (orig_type == Item::REF_ITEM && orig_modify) ((Item_ref*)orig_item)->set_result_field(result); - if (field->field->eq_def(result)) + /* + Fields that are used as arguments to the DEFAULT() function already have + their data pointers set to the default value during name resulotion. See + Item_default_value::fix_fields. + */ + if (orig_type != Item::DEFAULT_VALUE_ITEM && field->field->eq_def(result)) *default_field= field->field; return result; } --===============1890567484== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/martin.hansson@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: martin.hansson@stripped\ # sz4k5q589b50ixy4 # target_branch: file:///data0/martin/bzrroot/bug58207/5.1bt-\ # minimal_fix/ # testament_sha1: 4724e6bd2391bce5a369957c74810f08d24f36d0 # timestamp: 2010-12-14 11:37:03 +0100 # base_revision_id: tor.didriksen@stripped\ # 81lprlbune7r98dl # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWb83ao8AA7hfgFAQeff//3/n 3yC////wYAg3au+06AApEtqC2ATYFs8JJKbU2UyZUeFPEmj2CRpNpPUwnqeoaepoNAZA1FPUNGmy nlA2ppoAAAAaGgAABCpsmiP1QBo0AAGCYQ0BoAAAJEhU9HqNKb01TJtPSJjUaaBoAyaA0DaQyHDT TIxGE0wEMAmmEYJiZDTI0NAJJAQAmINAqeaaEYhoiAbU9TIDR4oYEnRykeWstGCVooTzWtwPOsnK 4vWEJYUoyjHAPCQl1gVW18GQnDhwZ9icwDFiLbu/Rw3l/E7uqVm3nSvTBSioHEHh0+4MH53haDww 57/C0IhYuC40zMMybxdIa51ZKI3Bktzx4Ok6aCkbrPJk0HxOE4QlpHpL+QLAkLCse8PXq7DCMOhL mG2B9O4moXnKnNq5dRqpJnUFVXCQpAgIwOnSFPp9NPXMWQVGTCUhEkGBIAJlBxO7DKhQUQal/0N5 5jFY4ePHmsj9a6hUldbF1DdB/kGzSmMTh15YbLbmt01RNhzc8Na54Ua0SMkuigYZmzXV2gazUF4Q DxAYxLRwHU2foDwehg67sraRj0GPKzwiQH74A6pzJl6uD5VhpSddwew1nqEFoawDXfjW6cwaizwM mdWaNBqEW4i7erW+wwkoEklQnCXf1F+O7RRwoUlnEAzLRHa/8gV5EgGninExhKCA9IONYTCseImT ISJFMmIpojyASFAkTRFVlEn0CIaWJZjmOwYJqXo4QerFYj87DmctJOfUdSCFr1Vvtq2Yt20KCl35 laICMAq/a+WwGBkmJjTPxuq6EexxDA0HGRSw1SxMSu0vWxilVIu2mwH2uNbwRmTUuBMStKDyLYk+ BTvzqnN2Je52VBtDbhIV5cOsOO0/bsMIYFFuVSpebBD1YQ4vuiaYjhFZFRpo4ae7xDmGr7nccK6n hiJlcXIDhvz5wc1B0trsiRbI4hrNOb7sKPqN9cxHKyy68Y6xIpcxELauI67bOsu0KbSs5bIrc2cG PkqiWYi0w2bSOv72l+Y/zOoi3LacLKltDSLk4iTaRDi3NjYROGj0ULWJxZvyVMtri4Q4msLx37rL txiS9wzmLhlZaUVIiPwLjAecS6RiRJblAsfY5zPldfBqn3SZJWqTKQVJX7JAh0utg2TEqm+E8c8Z cJZG3eRJmuRF5tU7O1a7DAYREt1Y0VEHEQ1JtbrumcOUohTlCu2p1DmGcE3IabQCgUqGmpe5moMh g+UL/rv5lRcivRIbfF6VfvHbYAewXYjrDMdAa0K25MG3+xUKMwYTCQEJQwlBjD+i6AxQB1oXSBRh 2IqhVA6qwfwHAMO1w9opATQr0O/wBh9gLQ1ApkSYWhiBgfYrAiYB8w+4aswqAtBwDxTC+QQoi5EU K0ki/OZbufT6jl06lggfPzUUkvk84dwIH+Q3EQeggjqGXR7SfbtOpb8Z20i7t6SjroIeZGAY6Rxu IwiLf8F9NjhR4ovnFfDahfxeVoGX/LEKbx0hrznW/ViWgWR0Laqpx1QQK/eI3cfwrPSSSYzIO8ph 3koxoFH+gnxwTGoRnyyBxq6lh16QwwmPh0W/9VQVbCePz3nOqoNrmSWasQG2I/9ByCalluIKCZUp jsNCK00z2UVGBWiJZAypQ8i00ol5SU3L0ghpxxXcH0RdSbVSWLEqTDpwIWePWvqb1tcbM4WqDJhp jjxnLjIEM3E5PM/7NHpxZihed3kr1pmywdUqhatQdBsfkDi+guWXZpfMHbdXlDLM0Zs/FnvCnpI4 uKWm1ubwcWi2kGhYJlQkrZtcCghGGOzTdvS360kcE7a5KIcImwstZFKMu7VxOgO7Bux5u6jyERhR BxlIxRGoNWLln1O8+y8U9evlGw2xUHZueqoAWLo/G80clQ7lj0euzbUNyA8ELkYMHxYLG/yD5g4t 89yUu5jG/Um1+1ZaJc06S+bFP+ogUhcRQVSMmEtgr3bFQdnv77Oa7K128LLBWMMi3ZCfsxE61xiZ t6CKlu+NfI8Q7xGFnluOQq/h3cfBQYuuDxCAsOUA8ZJ5QoCoXtFkknKIyggdMN9Z5J7hFRW8XYGe 6rvgAe8Hua39T5Ay6dzGasF2rBQoPZyvtkvSg1teq6wdZirMpWjtY3DGrVBlHNCdw1RMSyoplaa2 BTJK2ik5/ZgVZfm0lRLIiiabSwIFx35+MGjFcwPmp5bFpU7CCccyQyE2kthtBiNNC/ySYVdZqt98 1FpYJjd29PR4RyRc/scmRAPSE69xNSfs/B9ijVCCs4CMb67xcbb7mnxbtD2QT18U5CPYykYrLT8n 8eskDzy5MaRgFtc065/at47JMtPXScSgKRKYmYc6+Tu7aoWERkZDuP++Gq2zUXrcK5ZzbwZRUlgJ yjzuDBtZZcJea82tZjoRkJMK4UZMM3oEEeBGgRuX4KLKtmGMK823LEEcBwvWqKp9BNVA0KvAPkvt wJNcczFimHiZixkvtuwXXZxhK8V5Bw+PPFagYlnFmVj4mZGiI0QZeQLBcVyJPDnVA23ihgbyUk82 xU0+VI2oJ0XmTKAXtJ6lmuYsDw4P10h5DUdq2GwYvChB5vEbstbkzUsWiLjZt8hQWCCY0Ayio22J 4/i7kinChIX5u1R4 --===============1890567484==--