From: Alexander Barkov Date: March 24 2011 10:37am Subject: bzr push into mysql-trunk branch (alexander.barkov:3319 to 3320) Bug#11898467 List-Archive: http://lists.mysql.com/commits/133758 X-Bug: 11898467 Message-Id: <201103241037.p2OAbugv025061@bar.myoffice.izhnet.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3320 Alexander Barkov 2011-03-24 BUG#11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG Problem: Item_func_weight_string() could allocate unlimited amount of memory, which led to server crash. Fix: honor max_allowed_packet in Item_func_weight_string::val_str() @ mysql-test/r/func_weight_string.result @ mysql-test/t/func_weight_string.test Adding tests @ sql/item_strfunc.cc Don't return results longer than max_allowed_packet modified: mysql-test/r/func_weight_string.result mysql-test/t/func_weight_string.test sql/item_strfunc.cc 3319 Georgi Kodinov 2011-03-24 [merge] Null merge of bug #11766306 : have_innodb is deprecated in 5.6 Removed one dead extern declaration of have_innodb from set_var.h modified: sql/set_var.h === modified file 'mysql-test/r/func_weight_string.result' --- a/mysql-test/r/func_weight_string.result 2010-03-22 09:13:41 +0000 +++ b/mysql-test/r/func_weight_string.result 2011-03-24 10:37:16 +0000 @@ -76,3 +76,16 @@ hex(weight_string(s1)) NULL 41 drop table t1; +# +# BUG#11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG +# +SELECT HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000))); +HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000))) +NULL +Warnings: +Warning 1301 Result of weight_string() was larger than max_allowed_packet (1048576) - truncated +SELECT HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000))); +HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000))) +NULL +Warnings: +Warning 1301 Result of weight_string() was larger than max_allowed_packet (1048576) - truncated === modified file 'mysql-test/t/func_weight_string.test' --- a/mysql-test/t/func_weight_string.test 2010-03-22 09:13:41 +0000 +++ b/mysql-test/t/func_weight_string.test 2011-03-24 10:37:16 +0000 @@ -104,3 +104,10 @@ create table t1 (s1 varchar(5)); insert into t1 values ('a'),(null); select hex(weight_string(s1)) from t1 order by s1; drop table t1; + +--echo # +--echo # BUG#11898467 - SERVER CRASHES ON SELECT HEX(WEIGHT_STRING(STR AS [CHAR|BINARY](N))) IF N IS BIG +--echo # +SELECT HEX(WEIGHT_STRING('ab' AS CHAR(1000000000000000000))); +SELECT HEX(WEIGHT_STRING('ab' AS BINARY(1000000000000000000))); + === modified file 'sql/item_strfunc.cc' --- a/sql/item_strfunc.cc 2011-03-22 11:44:40 +0000 +++ b/sql/item_strfunc.cc 2011-03-24 10:37:16 +0000 @@ -3213,6 +3213,15 @@ String *Item_func_weight_string::val_str cs->coll->strnxfrmlen(cs, cs->mbmaxlen * max(res->length(), nweights)); + if(tmp_length > current_thd->variables.max_allowed_packet) + { + push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_WARN, + ER_WARN_ALLOWED_PACKET_OVERFLOWED, + ER(ER_WARN_ALLOWED_PACKET_OVERFLOWED), func_name(), + current_thd->variables.max_allowed_packet); + goto nl; + } + if (tmp_value.alloc(tmp_length)) goto nl; No bundle (reason: useless for push emails).