From: Tor Didriksen Date: January 14 2011 9:05am Subject: bzr commit into mysql-5.5 branch (tor.didriksen:3242) Bug#59241 List-Archive: http://lists.mysql.com/commits/128702 X-Bug: 59241 Message-Id: <20110114090517.D3E413776@atum07.norway.sun.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0415893149251366152==" --===============0415893149251366152== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///export/home/didrik/repo/5.5/ based on revid:serge.kozlov@stripped 3242 Tor Didriksen 2011-01-14 Bug #59241 invalid memory read in do_div_mod with doubly assigned variables Fix: copy my_decimal by value, to avoid dangling pointers. @ mysql-test/r/func_math.result New test case. @ mysql-test/t/func_math.test New test case. @ sql/item_cmpfunc.cc No need to call fix_buffer_pointer() anymore. @ sql/item_func.cc Copy my_decimal by value, to avoid dangling pointers. @ sql/my_decimal.h Implement proper copy constructor and assignment operator for my_decimal. @ sql/sql_analyse.cc No need to call fix_buffer_pointer() anymore. @ strings/decimal.c Remove #line directive: it messes up TAGS and it confuses gdb when debugging. modified: mysql-test/r/func_math.result mysql-test/t/func_math.test sql/item_cmpfunc.cc sql/item_func.cc sql/my_decimal.h sql/sql_analyse.cc strings/decimal.c === modified file 'mysql-test/r/func_math.result' --- a/mysql-test/r/func_math.result 2010-12-24 11:21:44 +0000 +++ b/mysql-test/r/func_math.result 2011-01-14 09:05:14 +0000 @@ -641,3 +641,12 @@ INSERT INTO t1 (SELECT -pi()); Warnings: Warning 1265 Data truncated for column 'a' at row 1 DROP TABLE t1; +# +# Bug #59241 invalid memory read +# in do_div_mod with doubly assigned variables +# +SELECT ((@a:=@b:=1.0) div (@b:=@a:=get_format(datetime, 'usa'))); +((@a:=@b:=1.0) div (@b:=@a:=get_format(datetime, 'usa'))) +NULL +Warnings: +Warning 1366 Incorrect decimal value: '' for column '' at row -1 === modified file 'mysql-test/t/func_math.test' --- a/mysql-test/t/func_math.test 2010-12-24 11:21:44 +0000 +++ b/mysql-test/t/func_math.test 2011-01-14 09:05:14 +0000 @@ -489,3 +489,9 @@ as foo; CREATE TABLE t1(a char(0)); INSERT INTO t1 (SELECT -pi()); DROP TABLE t1; + +--echo # +--echo # Bug #59241 invalid memory read +--echo # in do_div_mod with doubly assigned variables +--echo # +SELECT ((@a:=@b:=1.0) div (@b:=@a:=get_format(datetime, 'usa'))); === modified file 'sql/item_cmpfunc.cc' --- a/sql/item_cmpfunc.cc 2011-01-13 08:33:30 +0000 +++ b/sql/item_cmpfunc.cc 2011-01-14 09:05:14 +0000 @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -2086,7 +2086,6 @@ void Item_func_interval::fix_length_and_ if (dec != &range->dec) { range->dec= *dec; - range->dec.fix_buffer_pointer(); } } else === modified file 'sql/item_func.cc' --- a/sql/item_func.cc 2010-12-29 00:26:31 +0000 +++ b/sql/item_func.cc 2011-01-14 09:05:14 +0000 @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1581,24 +1581,22 @@ longlong Item_func_int_div::val_int() if (args[0]->result_type() != INT_RESULT || args[1]->result_type() != INT_RESULT) { - my_decimal value0, value1, tmp; - my_decimal *val0, *val1; - longlong res; - int err; - - val0= args[0]->val_decimal(&value0); - val1= args[1]->val_decimal(&value1); + my_decimal tmp; + my_decimal val0= *args[0]->val_decimal(&tmp); + my_decimal val1= *args[1]->val_decimal(&tmp); if ((null_value= (args[0]->null_value || args[1]->null_value))) return 0; + int err; if ((err= my_decimal_div(E_DEC_FATAL_ERROR & ~E_DEC_DIV_ZERO, &tmp, - val0, val1, 0)) > 3) + &val0, &val1, 0)) > 3) { if (err == E_DEC_DIV_ZERO) signal_divide_by_null(); return 0; } + longlong res; if (my_decimal2int(E_DEC_FATAL_ERROR, &tmp, unsigned_flag, &res) & E_DEC_OVERFLOW) raise_integer_overflow(); === modified file 'sql/my_decimal.h' --- a/sql/my_decimal.h 2010-10-19 22:51:34 +0000 +++ b/sql/my_decimal.h 2011-01-14 09:05:14 +0000 @@ -1,4 +1,4 @@ -/* Copyright (C) 2005-2006 MySQL AB +/* Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -102,6 +102,24 @@ class my_decimal :public decimal_t public: + my_decimal(const my_decimal &rhs) : decimal_t(rhs) + { + for (uint i= 0; i < DECIMAL_BUFF_LENGTH; i++) + buffer[i]= rhs.buffer[i]; + fix_buffer_pointer(); + } + + my_decimal& operator=(const my_decimal &rhs) + { + if (this == &rhs) + return *this; + decimal_t::operator=(rhs); + for (uint i= 0; i < DECIMAL_BUFF_LENGTH; i++) + buffer[i]= rhs.buffer[i]; + fix_buffer_pointer(); + return *this; + } + void init() { len= DECIMAL_BUFF_LENGTH; @@ -248,7 +266,6 @@ inline void my_decimal2decimal(const my_decimal *from, my_decimal *to) { *to= *from; - to->fix_buffer_pointer(); } === modified file 'sql/sql_analyse.cc' --- a/sql/sql_analyse.cc 2010-07-09 12:28:51 +0000 +++ b/sql/sql_analyse.cc 2011-01-14 09:05:14 +0000 @@ -1,4 +1,4 @@ -/* Copyright (C) 2000-2006 MySQL AB +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -521,9 +521,6 @@ void field_decimal::add() { found = 1; min_arg = max_arg = sum[0] = *dec; - min_arg.fix_buffer_pointer(); - max_arg.fix_buffer_pointer(); - sum[0].fix_buffer_pointer(); my_decimal_mul(E_DEC_FATAL_ERROR, sum_sqr, dec, dec); cur_sum= 0; min_length = max_length = length; @@ -545,12 +542,10 @@ void field_decimal::add() if (my_decimal_cmp(dec, &min_arg) < 0) { min_arg= *dec; - min_arg.fix_buffer_pointer(); } if (my_decimal_cmp(dec, &max_arg) > 0) { max_arg= *dec; - max_arg.fix_buffer_pointer(); } } } === modified file 'strings/decimal.c' --- a/strings/decimal.c 2010-07-20 19:30:10 +0000 +++ b/strings/decimal.c 2011-01-14 09:05:14 +0000 @@ -1,4 +1,4 @@ -/* Copyright (C) 2000 MySQL AB +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -13,8 +13,6 @@ along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#line 18 "decimal.c" - /* ======================================================================= NOTE: this library implements SQL standard "exact numeric" type --===============0415893149251366152== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/tor.didriksen@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: tor.didriksen@stripped\ # n2ixo8vof6sqxuih # target_branch: file:///export/home/didrik/repo/5.5/ # testament_sha1: 25df998168a08744988de138a7c06f023e0c6b8c # timestamp: 2011-01-14 10:05:17 +0100 # base_revision_id: serge.kozlov@stripped\ # xzrirqyu3adanfvv # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWaKiyHIABvr/gFBwACBZ//// f+eeir////5gDU5S986yi2wAAAN3XbTNaipV0ZdtRRTW6YoBJJAjKZoT1Tan6mm0ahjUTRnqGiA2 oMjRtR6eqPUONGTIwjEAwmgwCaDQMmTRkyGEBjjRkyMIxAMJoMAmg0DJk0ZMhhAYYhJkNKn6jyoD ZRtR6hk8oAD1AAAAAEVCTBpDQTAjCaCYCap+U9QjJp5QANNAEkmiNAAmjSYhpNPSnoKaaAGm1AAD Jp6SFL4skd2LbSznT+WR+fMwSubetPC8fGz89/gYM/hfdezZnVSgf1KfJc5APnY4gbOXhqicRFAT hssHIrenaY27oJFqFN6l0okABwRkI3nU5zITQuvbEnaTSUN0AQSwBcGSxBQsPs/RzZJnLUUeai2I wP7B8tlnMl5FAyJSASIrIWD7EngsqgagpLQza20aWjRp57iEL7dRGJEsLKVq8n472lc1lJ1eFaqi jWKSdFJnikVcvcT1KMp0o7CfdRstIe+9KIzb61yadBnGKCNoXZ4jdwSnNofJktpOz9J4/ILjCbGG KtItDUeJR2LkMHxRFL4EaVC1EQPQxRR6kRJ+JcUuVDOvuZXm5j2ez07NrH6nnOz4c8zn8EdibHr9 EkpQlde9GyRSyAPp0EEkRykdw3NrCH5KMhYx4QJliBSW+Xhoc3+QaezHOG5DwqMlAbjinUvUoH/a i0LDYrrW/m4QQ5nCrEhlGDpegF5gtfm/mHrn3uL8QiNBdU8I34BoYPAy1CFmPa0VPGoK2F5u9xkl 4zbI0/LEGmGyzzmTCneAwMQk4MySL0gxIocNBGyalsqtqciRqWUbbbV6uEw0QGMECEHPRl9mifMF OqiQdYmpCIzkuApJk4wlQ0oQaBIKMAGIwKJ0jzFAU+eBpqwCdcIsSZEJiEyJUDejSgMOojKZ3CCN ZJBMiIrV6w+0xLbCoDAbbQyvAQqOFqklLFYzm5IZTVwxM8MbiJ4cb4TZwEpFIPnNjRBCFhz4jhrL CpR+mG0x0CkfplkrLdCJGarL6wL2x2MpKNTFpOvuyjEN37o5lNchBfSILkFCKBii/4VGcbxSgBWY Q4EiXUulorbjAlvKaB6e+tOt4UeUyWQ0+SCidg2e5LvNjsdtktnMO7PpQhFpccS4cz4edbWSjAp2 dnvaChqGqBmQMhhIwmuNqkDclCnOgpPPJ8hi1U+RVEDAqJvdSpHgyr5Z1xoGLTv4q3OnMp3HOAsS JApHCNh0uiIoNTBYG5bSP+/M5JtFXxEEjmpLytUlyDfw4G6/fkUcAgS3GOtaDcRHnxrKuVS4G8mr njgRV5g76919JgQmqLoEh1V7cNDIrKdIHzVAb6z61IiPAJngHX19VdEXt5rhjrDK+DcYEkCOrI1V CYY4HSK2Lzc9BB3sY3nBQOk4j6q3epmUmimpdRG7JTAiZEO8nwUjcP8w8VNfFcVX7b5Fd9cZb7V2 qHXsClmgIHLCBmsitS3hSVlCmXu/AiqTWjhMxS4lLOcR1MzgOqDEbRAzN9aYm3G0zUyzd46e2GZS NWc1KmVqpVes2rwueGtEK6qy+quENxEiVmBMlwqpFPLRVk674FSrJ7/ocwLpq6NYWMQc+FfCKCNA yuJExzOwvMunVdDXgmdfgnEHULF2PdyXgsVy3ZbtzgydBxH4lDq4iOMQPIM34sU8C2/gX/R7PFTs 2V8DLeW80sWemjz48t9KCk6GrjFw5htUShSu7Bb1yXqLlPdbXs83Z5RVBiLiTJC7i+gplBTKCY7G Q0NZ2GECkl3NXmSeG6NBtIgYGGnIQd240JXIHTZ1iDQyMuWmhROZTDUygmJEIXk1oidpMpmgvqo6 6kjGSB5FlhVkz6wlKmLjmBnn67yXrty3wrvzzZezgLgKyRQaGUw04QkPB4pU6tRROQEACxmzo5Am S07TAeABhSLrAz2iJAiGhRPu5HQOKGHmHzWTFYDV70F+kkMMAn2ZDMyMYk3GsfI0s4IbvZZdfoHu 3jBwnSYYOFQl3/l+ZNKj0DMmYYTG01vl9wM4CDWd59Bj/H8I/3YXTYbmqq8wLKj7yJZMMUN97lhF yP5i+g7B4B5+Q3mGRuPdPYOlPuAkQX7Xe0J0LFYLwgJ8CdLjDBe9zhKRmB5dXacvpiAJDsGh6yIq VuFYRojSaSIsH4LK6CsqTa/B8ZwAw4WpgH3Ey/LDqSoCsT32qmsYEHFsIjr2g7fBLJrakDHlQPX+ 9EJv7V+BeQkHyygwZItUBFiTXLTJeaoUz5L3vnxMOh0Pll30jTY7wpKjCocqKTqKo/eTOp262FR7 DzOydXDUaCSUukwy+atJy+qyysWGcI4FwHQIUii5ZqkRQRXURqS3novVampUd/uTH4w6FhaIyDx2 MQZkHOFzHfX3aUXDZLuYgBrTDYi7Y6iDb1My+rBfL8TlN5S7unREPHxySiihHh4S77aNpyNolvEg s0JDtxYUOrRThKq1fPK6DS1u3RWZTkbzcy6jmJ7lhBMtr+Uko/3fW8FDiBgClti3sHfydCJsm8nk 6LercnRBeqiHmwJeZ2LEFyMF5Fkm43cVYvTEoKYenaNfjJ+HtOg9x6DWl/nIxMfLXNqUt6Xx0Wvo ikdItwmgyut7+hkHia9WUIINR23G5zpZYSWNrc8iqHurHpxsbQJqizJW1cW681y+6OQjbivw8rGS BzhkyWiZB2qDj0hqBFVLvZRHgi5MOiebJchISEIpuYsUfg95K0GDpqIbkTYc5xiSDkMRORxCujJe S6CCzqVkazfEIlrqJaaOB4+WtkBkzuYDWBJP1ZQ/m/otvYsF8VmkD0L0XniG/AkeyVSpScBALLYe 2zFraoDaqlAZ8WR1PA239rmdSWRij/BieeQxUiW4n1LaAyB2NdLaHY+Yb97U2EmcQIOiQklgtDFl 3AF7z1YJVPbUGsyXvq3r15xPFucbyUNhiCBNicXo7XY0n+AvD4obnqOtPMSP55pA91/YiBV5WCNA 6oCabZRBGyzEB3IFajQ+ZyEacc8XOVo95vF+eb38J5xNFr4Pq7xLDwyPhGLHk0J8rR06v2bA9BC8 lPvrHGcilVVdVStK7wtcJ1xZFeuhj4MpoEcKkVeBX1gsl7gRd6BskwGwmSGBlSDNJSAgmJc5PyqS oMDm3ubGkwIKNEUTmwsUrf7fIi/VO3gEcNk6MTGYqC7yfreoIl4FAJTXYd9RGSBbk6BIRbF6ndTq AlgPJ4eZkC7PIMLSWhmMMLgNqfW8LOh9ni5Q2sHv7XvuImozaMJphmItGjwiRrUNb3uR7hppWxQh qTItzgBJaILhU3NJU40Vc6dnIQT41HNTvTA4UqktSGEyZkH6TzkPOzbjxuzhgD4JHg6QvEPAIsC/ S7nkIfZA8R0PTu5KvMJ3R7iD3YTcVRoPoMXOfx0xh1pGKJ+KjATQSGvJxwYGBHx1Ox5zK1Yuh65N ILc9n6o66skwB2TgYI7lik6Peu5lm/xCs1xiD2vUzA7w7MWnOOVxOnmQLXfeFzazbG142CGpqTug vbEOaShukxIAf+SKIdMmJpa+ViBIelHdztirgAp69wVsPPnYaEeT+DqQ+igEZDjWVTDxDpZp0BVP gc7dqbcZFuYyK4p8mQxcFCRgjSR5cnQzjszyIBK9efjaBdPE3I6gjkKKKqXI6SOZOswBiCHJu0Yg 85HA5nvE9NVZmZmZmZoQhCEIXBIgDuoxLhBUsEFgMdwwiFQibRij3D6rw2RPQ09ayDkCPueC1dOo RMnPl9X00T4rJWLXULAqfBlOi4SkNcC1OJ3BoKyNDQLLa2WOBA6/qbQlyqyOw00dph9WAUV6zgBB a/voLxM7VEjDInOmOhCXs3tHS6nnDM52Dyp1D6+gFT9GHeIOZQYr36If3kBnBHJ+GS+1SdUAyvXb Zeq21uRs0JJ4Y4Q+0yvaSYQdrV2lexI1Pu6fnnd4m8+ohI8/JzOHFW18Xbjwy6XMGB53E+L6ONzv W6G7y5NuZPBne3vY5mkQ0cytQhSzbbnJigQd5RGshscbRmVyZnpcDkZE0uTM1he0uN6/m6aTPqdW kClg3bXRi1uTM7D/kH/4u5IpwoSFFRZDkA== --===============0415893149251366152==--