#At file:///home/bar/mysql-bzr/mysql-trunk.b11898467/ based on revid:alexander.barkov@stripped
3316 Alexander Barkov 2011-03-23
BUG 11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG
Problem: Item_func_weight_string() could allocate unlimited amount
of memory, which led to server crash.
Fix: honor max_alloced_packet in Item_func_weight_string::val_str()
@ mysql-test/r/func_weight_string.result
@ mysql-test/t/func_weight_string.test
Adding tests
@ sql/item_strfunc.cc
Don't return results longer than max_allowed_packet
modified:
mysql-test/r/func_weight_string.result
mysql-test/t/func_weight_string.test
sql/item_strfunc.cc
=== modified file 'mysql-test/r/func_weight_string.result'
--- a/mysql-test/r/func_weight_string.result 2010-03-22 09:13:41 +0000
+++ b/mysql-test/r/func_weight_string.result 2011-03-23 13:28:18 +0000
@@ -76,3 +76,16 @@ hex(weight_string(s1))
NULL
41
drop table t1;
+#
+# BUG 11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG
+#
+SELECT HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000)));
+HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000)))
+NULL
+Warnings:
+Warning 1301 Result of weight_string() was larger than max_allowed_packet (1048576) - truncated
+SELECT HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000)));
+HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000)))
+NULL
+Warnings:
+Warning 1301 Result of weight_string() was larger than max_allowed_packet (1048576) - truncated
=== modified file 'mysql-test/t/func_weight_string.test'
--- a/mysql-test/t/func_weight_string.test 2010-03-22 09:13:41 +0000
+++ b/mysql-test/t/func_weight_string.test 2011-03-23 13:28:18 +0000
@@ -104,3 +104,10 @@ create table t1 (s1 varchar(5));
insert into t1 values ('a'),(null);
select hex(weight_string(s1)) from t1 order by s1;
drop table t1;
+
+--echo #
+--echo # BUG 11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG
+--echo #
+SELECT HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000)));
+SELECT HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000)));
+
=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc 2011-03-10 08:23:14 +0000
+++ b/sql/item_strfunc.cc 2011-03-23 13:28:18 +0000
@@ -3217,6 +3217,15 @@ String *Item_func_weight_string::val_str
cs->coll->strnxfrmlen(cs, cs->mbmaxlen *
max(res->length(), nweights));
+ if(tmp_length > current_thd->variables.max_allowed_packet)
+ {
+ push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_WARN,
+ ER_WARN_ALLOWED_PACKET_OVERFLOWED,
+ ER(ER_WARN_ALLOWED_PACKET_OVERFLOWED), func_name(),
+ current_thd->variables.max_allowed_packet);
+ goto nl;
+ }
+
if (tmp_value.alloc(tmp_length))
goto nl;
Attachment: [text/bzr-bundle] bzr/alexander.barkov@oracle.com-20110323132818-r14e9tl1azwhamaq.bundle
| Thread |
|---|
| • bzr commit into mysql-trunk branch (alexander.barkov:3316) | Alexander Barkov | 23 Mar |
