3544 Tor Didriksen 2011-09-21
Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY
Extra fix: 'if (p5 < p5_a + P5A_MAX)' is not portable.
p5 starts out pointing to a static array, then may point
to a buffer on the stack, then may point to malloc()ed memory.
modified:
strings/dtoa.c
3543 kevin.lewis@stripped 2011-09-20
Bug 12963823 - Crash in Purge thread under unusual circumstances.
The problem occurred when indexes are added between the time that an
UNDO record is created and the time that the purge thread comes around
and deletes the old secondary index entries. The purge thread would
hit an assert when trying to build a secondary index entry for
searching. The problem was that the old value of those fields were not
in the UNDO record since they were not part of an index when the UPDATE
occured.
A test case was added to innodb-index.test.
modified:
mysql-test/suite/innodb/r/innodb-index.result
mysql-test/suite/innodb/t/innodb-index.test
storage/innobase/row/row0purge.c
=== modified file 'strings/dtoa.c'
--- a/strings/dtoa.c 2011-09-20 08:59:48 +0000
+++ b/strings/dtoa.c 2011-09-21 11:46:49 +0000
@@ -1009,6 +1009,7 @@ static Bigint *pow5mult(Bigint *b, int k
Bigint *b1, *p5, *p51=NULL;
int i;
static int p05[3]= { 5, 25, 125 };
+ my_bool overflow= FALSE;
if ((i= k & 3))
b= multadd(b, p05[i-1], 0, alloc);
@@ -1027,16 +1028,19 @@ static Bigint *pow5mult(Bigint *b, int k
if (!(k>>= 1))
break;
/* Calculate next power of 5 */
- if (p5 < p5_a + P5A_MAX)
- ++p5;
- else if (p5 == p5_a + P5A_MAX)
- p5= mult(p5, p5, alloc);
- else
+ if (overflow)
{
p51= mult(p5, p5, alloc);
Bfree(p5, alloc);
p5= p51;
}
+ else if (p5 < p5_a + P5A_MAX)
+ ++p5;
+ else if (p5 == p5_a + P5A_MAX)
+ {
+ p5= mult(p5, p5, alloc);
+ overflow= TRUE;
+ }
}
if (p51)
Bfree(p51, alloc);
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-5.5 branch (tor.didriksen:3543 to 3544) Bug#12985030 | Tor Didriksen | 22 Sep |
