List:Commits« Previous MessageNext Message »
From:marko.makela Date:March 15 2011 11:13am
Subject:bzr push into mysql-5.1-innodb branch (marko.makela:3716 to 3717)
Bug#11849231
View as plain text  
 3717 Marko Mäkelä	2011-03-15
      Bug#11849231 inflateInit() invoked without initializing all memory
      
      According to the zlib documentation, next_in and avail_in
      must be initialized before invoking inflateInit or inflateInit2.
      Furthermore, the zalloc function must clear the allocated memory.
      
      btr_copy_zblob_prefix(): Replace the d_stream parameter with buf,len
      and return the copied length.
      
      page_zip_decompress(): Invoke inflateInit2 a little later.
      
      page_zip_zalloc(): Rename from page_zip_alloc().
      Invoke mem_heap_zalloc() instead of mem_heap_alloc().
      
      rb:619 approved by Jimmy Yang

    modified:
      storage/innodb_plugin/ChangeLog
      storage/innodb_plugin/btr/btr0cur.c
      storage/innodb_plugin/page/page0zip.c
 3716 Vasil Dimov	2011-03-02 [merge]
      Merge mysql-5.1 -> mysql-5.1-innodb

    removed:
      mysql-test/collections/mysql-5.1-bugteam.daily
      mysql-test/collections/mysql-5.1-bugteam.push
    added:
      mysql-test/extra/rpl_tests/rpl_insert_duplicate.test
      mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result
      mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt
      mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test
      mysql-test/suite/rpl/r/rpl_insert_duplicate.result
      mysql-test/suite/rpl/t/rpl_insert_duplicate.test
      mysql-test/suite/sys_vars/r/secure_file_priv2.result
      mysql-test/suite/sys_vars/t/secure_file_priv2-master.opt
      mysql-test/suite/sys_vars/t/secure_file_priv2.test
    modified:
      README
      client/my_readline.h
      client/mysql.cc
      client/mysqldump.c
      client/readline.cc
      configure.in
      include/config-win.h
      include/my_bit.h
      include/my_bitmap.h
      include/my_pthread.h
      include/my_sys.h
      include/my_time.h
      mysql-test/collections/default.weekly
      mysql-test/extra/rpl_tests/rpl_insert_ignore.test
      mysql-test/include/commit.inc
      mysql-test/include/gis_keys.inc
      mysql-test/include/mysqlhotcopy.inc
      mysql-test/include/rpl_sync.inc
      mysql-test/mysql-test-run.pl
      mysql-test/r/commit_1innodb.result
      mysql-test/r/csv_not_null.result
      mysql-test/r/ctype_cp1250_ch.result
      mysql-test/r/ctype_cp1251.result
      mysql-test/r/ctype_eucjpms.result*
      mysql-test/r/ddl_i18n_koi8r.result
      mysql-test/r/ddl_i18n_utf8.result
      mysql-test/r/func_time.result
      mysql-test/r/gis.result
      mysql-test/r/grant.result
      mysql-test/r/group_by.result
      mysql-test/r/insert_select.result
      mysql-test/r/mysqldump.result
      mysql-test/r/not_embedded_server.result
      mysql-test/r/order_by.result
      mysql-test/r/range.result
      mysql-test/r/type_year.result
      mysql-test/r/user_var.result
      mysql-test/r/xml.result
      mysql-test/suite/binlog/r/binlog_unsafe.result
      mysql-test/suite/binlog/t/binlog_unsafe.test
      mysql-test/suite/engines/funcs/r/ps_string_not_null.result
      mysql-test/suite/engines/funcs/t/ps_string_not_null.test
      mysql-test/suite/engines/iuds/r/insert_year.result
      mysql-test/suite/innodb/r/innodb_gis.result
      mysql-test/suite/innodb_plugin/r/innodb_gis.result
      mysql-test/suite/rpl/r/rpl_circular_for_4_hosts.result
      mysql-test/suite/rpl/r/rpl_insert_ignore.result
      mysql-test/suite/rpl/t/disabled.def
      mysql-test/suite/rpl/t/rpl_circular_for_4_hosts.test
      mysql-test/suite/rpl/t/rpl_insert_ignore.test
      mysql-test/t/csv_not_null.test
      mysql-test/t/ctype_cp1250_ch.test
      mysql-test/t/ctype_cp1251.test
      mysql-test/t/ctype_eucjpms.test
      mysql-test/t/func_time.test
      mysql-test/t/gis.test
      mysql-test/t/grant.test
      mysql-test/t/group_by.test
      mysql-test/t/insert_select.test
      mysql-test/t/mysql.test
      mysql-test/t/mysqldump.test
      mysql-test/t/not_embedded_server.test
      mysql-test/t/order_by.test
      mysql-test/t/range.test
      mysql-test/t/type_year.test
      mysql-test/t/user_var.test
      mysql-test/t/variables.test
      mysql-test/t/xml.test
      mysys/my_bitmap.c
      mysys/my_fopen.c
      mysys/my_getsystime.c
      regex/my_regex.h
      regex/regcomp.c
      regex/reginit.c
      sql-common/my_time.c
      sql/field.cc
      sql/handler.cc
      sql/item.h
      sql/item_cmpfunc.cc
      sql/item_func.cc
      sql/item_geofunc.h
      sql/log.cc
      sql/mysql_priv.h
      sql/mysqld.cc
      sql/net_serv.cc
      sql/set_var.cc
      sql/sql_base.cc
      sql/sql_class.h
      sql/sql_connect.cc
      sql/sql_insert.cc
      sql/sql_load.cc
      sql/sql_parse.cc
      sql/sql_repl.cc
      sql/sql_select.cc
      sql/sql_show.cc
      sql/sql_string.h
      sql/sql_view.cc
      storage/innodb_plugin/ChangeLog
      storage/innodb_plugin/dict/dict0dict.c
      storage/innodb_plugin/handler/ha_innodb.cc
      storage/innodb_plugin/handler/i_s.cc
      storage/innodb_plugin/include/univ.i
      storage/innodb_plugin/include/ut0vec.h
      storage/innodb_plugin/include/ut0vec.ic
      storage/innodb_plugin/lock/lock0lock.c
      storage/innodb_plugin/row/row0merge.c
      storage/myisam/mi_create.c
      strings/xml.c
      support-files/mysql.spec.sh
      tests/mysql_client_test.c
      unittest/mysys/bitmap-t.c
=== modified file 'storage/innodb_plugin/ChangeLog'
--- a/storage/innodb_plugin/ChangeLog	revid:vasil.dimov@stripped02085943-2ywlry42umdfhw5e
+++ b/storage/innodb_plugin/ChangeLog	revid:marko.makela@strippedlra9lax6wye
@@ -1,3 +1,8 @@
+2011-03-15	The InnoDB Team
+
+	* btr/btr0cur.c, page/page0zip.c:
+	Fix Bug#11849231 inflateInit() invoked without initializing all memory
+
 2011-02-28	The InnoDB Team
 
 	* btr/btr0sea.c, buf/buf0buf.c, buf/buf0lru.c:

=== modified file 'storage/innodb_plugin/btr/btr0cur.c'
--- a/storage/innodb_plugin/btr/btr0cur.c	revid:vasil.dimov@strippedumdfhw5e
+++ b/storage/innodb_plugin/btr/btr0cur.c	revid:marko.makela@stripped
@@ -4627,27 +4627,45 @@ btr_copy_blob_prefix(
 
 /*******************************************************************//**
 Copies the prefix of a compressed BLOB.  The clustered index record
-that points to this BLOB must be protected by a lock or a page latch. */
+that points to this BLOB must be protected by a lock or a page latch.
+@return	number of bytes written to buf */
 static
-void
+ulint
 btr_copy_zblob_prefix(
 /*==================*/
-	z_stream*	d_stream,/*!< in/out: the decompressing stream */
+	byte*		buf,	/*!< out: the externally stored part of
+				the field, or a prefix of it */
+	ulint		len,	/*!< in: length of buf, in bytes */
 	ulint		zip_size,/*!< in: compressed BLOB page size */
 	ulint		space_id,/*!< in: space id of the BLOB pages */
 	ulint		page_no,/*!< in: page number of the first BLOB page */
 	ulint		offset)	/*!< in: offset on the first BLOB page */
 {
-	ulint	page_type = FIL_PAGE_TYPE_ZBLOB;
+	ulint		page_type = FIL_PAGE_TYPE_ZBLOB;
+	mem_heap_t*	heap;
+	int		err;
+	z_stream	d_stream;
+
+	d_stream.next_out = buf;
+	d_stream.avail_out = len;
+	d_stream.next_in = Z_NULL;
+	d_stream.avail_in = 0;
+
+	/* Zlib inflate needs 32 kilobytes for the default
+	window size, plus a few kilobytes for small objects. */
+	heap = mem_heap_create(40000);
+	page_zip_set_alloc(&d_stream, heap);
 
 	ut_ad(ut_is_2pow(zip_size));
 	ut_ad(zip_size >= PAGE_ZIP_MIN_SIZE);
 	ut_ad(zip_size <= UNIV_PAGE_SIZE);
 	ut_ad(space_id);
 
+	err = inflateInit(&d_stream);
+	ut_a(err == Z_OK);
+
 	for (;;) {
 		buf_page_t*	bpage;
-		int		err;
 		ulint		next_page_no;
 
 		/* There is no latch on bpage directly.  Instead,
@@ -4663,7 +4681,7 @@ btr_copy_zblob_prefix(
 				" compressed BLOB"
 				" page %lu space %lu\n",
 				(ulong) page_no, (ulong) space_id);
-			return;
+			goto func_exit;
 		}
 
 		if (UNIV_UNLIKELY
@@ -4689,13 +4707,13 @@ btr_copy_zblob_prefix(
 			offset += 4;
 		}
 
-		d_stream->next_in = bpage->zip.data + offset;
-		d_stream->avail_in = zip_size - offset;
+		d_stream.next_in = bpage->zip.data + offset;
+		d_stream.avail_in = zip_size - offset;
 
-		err = inflate(d_stream, Z_NO_FLUSH);
+		err = inflate(&d_stream, Z_NO_FLUSH);
 		switch (err) {
 		case Z_OK:
-			if (!d_stream->avail_out) {
+			if (!d_stream.avail_out) {
 				goto end_of_blob;
 			}
 			break;
@@ -4712,13 +4730,13 @@ inflate_error:
 				" compressed BLOB"
 				" page %lu space %lu returned %d (%s)\n",
 				(ulong) page_no, (ulong) space_id,
-				err, d_stream->msg);
+				err, d_stream.msg);
 		case Z_BUF_ERROR:
 			goto end_of_blob;
 		}
 
 		if (next_page_no == FIL_NULL) {
-			if (!d_stream->avail_in) {
+			if (!d_stream.avail_in) {
 				ut_print_timestamp(stderr);
 				fprintf(stderr,
 					"  InnoDB: unexpected end of"
@@ -4727,7 +4745,7 @@ inflate_error:
 					(ulong) page_no,
 					(ulong) space_id);
 			} else {
-				err = inflate(d_stream, Z_FINISH);
+				err = inflate(&d_stream, Z_FINISH);
 				switch (err) {
 				case Z_STREAM_END:
 				case Z_BUF_ERROR:
@@ -4739,7 +4757,7 @@ inflate_error:
 
 end_of_blob:
 			buf_page_release_zip(bpage);
-			return;
+			goto func_exit;
 		}
 
 		buf_page_release_zip(bpage);
@@ -4751,6 +4769,12 @@ end_of_blob:
 		offset = FIL_PAGE_NEXT;
 		page_type = FIL_PAGE_TYPE_ZBLOB2;
 	}
+
+func_exit:
+	inflateEnd(&d_stream);
+	mem_heap_free(heap);
+	UNIV_MEM_ASSERT_RW(buf, d_stream.total_out);
+	return(d_stream.total_out);
 }
 
 /*******************************************************************//**
@@ -4776,28 +4800,8 @@ btr_copy_externally_stored_field_prefix_
 	}
 
 	if (UNIV_UNLIKELY(zip_size)) {
-		int		err;
-		z_stream	d_stream;
-		mem_heap_t*	heap;
-
-		/* Zlib inflate needs 32 kilobytes for the default
-		window size, plus a few kilobytes for small objects. */
-		heap = mem_heap_create(40000);
-		page_zip_set_alloc(&d_stream, heap);
-
-		err = inflateInit(&d_stream);
-		ut_a(err == Z_OK);
-
-		d_stream.next_out = buf;
-		d_stream.avail_out = len;
-		d_stream.avail_in = 0;
-
-		btr_copy_zblob_prefix(&d_stream, zip_size,
-				      space_id, page_no, offset);
-		inflateEnd(&d_stream);
-		mem_heap_free(heap);
-		UNIV_MEM_ASSERT_RW(buf, d_stream.total_out);
-		return(d_stream.total_out);
+		return(btr_copy_zblob_prefix(buf, len, zip_size,
+					     space_id, page_no, offset));
 	} else {
 		return(btr_copy_blob_prefix(buf, len, space_id,
 					    page_no, offset));

=== modified file 'storage/innodb_plugin/page/page0zip.c'
--- a/storage/innodb_plugin/page/page0zip.c	revid:vasil.dimov@stripped2ywlry42umdfhw5e
+++ b/storage/innodb_plugin/page/page0zip.c	revid:marko.makela@stripped9lax6wye
@@ -653,13 +653,13 @@ page_zip_dir_encode(
 Allocate memory for zlib. */
 static
 void*
-page_zip_malloc(
+page_zip_zalloc(
 /*============*/
 	void*	opaque,	/*!< in/out: memory heap */
 	uInt	items,	/*!< in: number of items to allocate */
 	uInt	size)	/*!< in: size of an item in bytes */
 {
-	return(mem_heap_alloc(opaque, items * size));
+	return(mem_heap_zalloc(opaque, items * size));
 }
 
 /**********************************************************************//**
@@ -684,7 +684,7 @@ page_zip_set_alloc(
 {
 	z_stream*	strm = stream;
 
-	strm->zalloc = page_zip_malloc;
+	strm->zalloc = page_zip_zalloc;
 	strm->zfree = page_zip_free;
 	strm->opaque = heap;
 }
@@ -2912,19 +2912,18 @@ zlib_error:
 
 	page_zip_set_alloc(&d_stream, heap);
 
-	if (UNIV_UNLIKELY(inflateInit2(&d_stream, UNIV_PAGE_SIZE_SHIFT)
-			  != Z_OK)) {
-		ut_error;
-	}
-
 	d_stream.next_in = page_zip->data + PAGE_DATA;
 	/* Subtract the space reserved for
 	the page header and the end marker of the modification log. */
 	d_stream.avail_in = page_zip_get_size(page_zip) - (PAGE_DATA + 1);
-
 	d_stream.next_out = page + PAGE_ZIP_START;
 	d_stream.avail_out = UNIV_PAGE_SIZE - PAGE_ZIP_START;
 
+	if (UNIV_UNLIKELY(inflateInit2(&d_stream, UNIV_PAGE_SIZE_SHIFT)
+			  != Z_OK)) {
+		ut_error;
+	}
+
 	/* Decode the zlib header and the index information. */
 	if (UNIV_UNLIKELY(inflate(&d_stream, Z_BLOCK) != Z_OK)) {
 

Attachment: [text/bzr-bundle] bzr/marko.makela@oracle.com-20110315100102-y1cralra9lax6wye.bundle
Thread
bzr push into mysql-5.1-innodb branch (marko.makela:3716 to 3717)Bug#11849231marko.makela15 Mar