List:Commits« Previous MessageNext Message »
From:Alexander Barkov Date:March 24 2011 10:31am
Subject:bzr commit into mysql-trunk branch (alexander.barkov:3319) Bug#11898467
View as plain text  
#At file:///home/bar/mysql-bzr/mysql-trunk.b11898467/ based on revid:marc.alff@stripped

 3319 Alexander Barkov	2011-03-24
      BUG#11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG 
            
      Problem: Item_func_weight_string() could allocate unlimited amount
      of memory, which led to server crash.
      
      Fix: honor max_allowed_packet in Item_func_weight_string::val_str()
      
        @ mysql-test/r/func_weight_string.result
        @ mysql-test/t/func_weight_string.test
        Adding tests
      
        @ sql/item_strfunc.cc
        Don't return results longer than max_allowed_packet

    modified:
      mysql-test/r/func_weight_string.result
      mysql-test/t/func_weight_string.test
      sql/item_strfunc.cc
=== modified file 'mysql-test/r/func_weight_string.result'
--- a/mysql-test/r/func_weight_string.result	2010-03-22 09:13:41 +0000
+++ b/mysql-test/r/func_weight_string.result	2011-03-24 10:30:47 +0000
@@ -76,3 +76,16 @@ hex(weight_string(s1))
 NULL
 41
 drop table t1;
+#
+# BUG#11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG 
+#
+SELECT HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000)));
+HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000)))
+NULL
+Warnings:
+Warning	1301	Result of weight_string() was larger than max_allowed_packet (1048576) - truncated
+SELECT HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000)));
+HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000)))
+NULL
+Warnings:
+Warning	1301	Result of weight_string() was larger than max_allowed_packet (1048576) - truncated

=== modified file 'mysql-test/t/func_weight_string.test'
--- a/mysql-test/t/func_weight_string.test	2010-03-22 09:13:41 +0000
+++ b/mysql-test/t/func_weight_string.test	2011-03-24 10:30:47 +0000
@@ -104,3 +104,10 @@ create table t1 (s1 varchar(5));
 insert into t1 values ('a'),(null);
 select hex(weight_string(s1)) from t1 order by s1;
 drop table t1;
+
+--echo #
+--echo # BUG#11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG 
+--echo #
+SELECT HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000))); 
+SELECT HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000))); 
+

=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc	2011-03-22 11:44:40 +0000
+++ b/sql/item_strfunc.cc	2011-03-24 10:30:47 +0000
@@ -3213,6 +3213,15 @@ String *Item_func_weight_string::val_str
               cs->coll->strnxfrmlen(cs, cs->mbmaxlen *
                                     max(res->length(), nweights));
 
+  if(tmp_length > current_thd->variables.max_allowed_packet)
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_WARN,
+                        ER_WARN_ALLOWED_PACKET_OVERFLOWED,
+                        ER(ER_WARN_ALLOWED_PACKET_OVERFLOWED), func_name(),
+                        current_thd->variables.max_allowed_packet);
+    goto nl;
+  }
+
   if (tmp_value.alloc(tmp_length))
     goto nl;
 


Attachment: [text/bzr-bundle] bzr/alexander.barkov@oracle.com-20110324103047-b1wng23h917s530o.bundle
Thread
bzr commit into mysql-trunk branch (alexander.barkov:3319) Bug#11898467Alexander Barkov24 Mar