From: Tor Didriksen
Date: September 21 2011 11:56am
Subject: bzr push into mysql-5.5 branch (tor.didriksen:3543 to 3544) Bug#12985030
List-Archive: http://lists.mysql.com/commits/141050
X-Bug: 12985030
Message-Id: <201109211156.p8LBuVuE008321@acsmt356.oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 3544 Tor Didriksen	2011-09-21
      Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY
      
      Extra fix: 'if (p5 < p5_a + P5A_MAX)' is not portable.
      p5 starts out pointing to a static array, then may point
      to a buffer on the stack, then may point to malloc()ed memory.

    modified:
      strings/dtoa.c
 3543 kevin.lewis@stripped	2011-09-20
      Bug 12963823 - Crash in Purge thread under unusual circumstances.
      The problem occurred when indexes are added between the time that an
      UNDO record is created and the time that the purge thread comes around
      and deletes the old secondary index entries.  The purge thread would
      hit an assert when trying to build a secondary index entry for
      searching.  The problem was that the old value of those fields were not
      in the UNDO record since they were not part of an index when the UPDATE
      occured. 
      A test case was added to innodb-index.test.

    modified:
      mysql-test/suite/innodb/r/innodb-index.result
      mysql-test/suite/innodb/t/innodb-index.test
      storage/innobase/row/row0purge.c
=== modified file 'strings/dtoa.c'
--- a/strings/dtoa.c	2011-09-20 08:59:48 +0000
+++ b/strings/dtoa.c	2011-09-21 11:46:49 +0000
@@ -1009,6 +1009,7 @@ static Bigint *pow5mult(Bigint *b, int k
   Bigint *b1, *p5, *p51=NULL;
   int i;
   static int p05[3]= { 5, 25, 125 };
+  my_bool overflow= FALSE;
 
   if ((i= k & 3))
     b= multadd(b, p05[i-1], 0, alloc);
@@ -1027,16 +1028,19 @@ static Bigint *pow5mult(Bigint *b, int k
     if (!(k>>= 1))
       break;
     /* Calculate next power of 5 */
-    if (p5 < p5_a + P5A_MAX)
-      ++p5;
-    else if (p5 == p5_a + P5A_MAX)
-      p5= mult(p5, p5, alloc);
-    else
+    if (overflow)
     {
       p51= mult(p5, p5, alloc);
       Bfree(p5, alloc);
       p5= p51;
     }
+    else if (p5 < p5_a + P5A_MAX)
+      ++p5;
+    else if (p5 == p5_a + P5A_MAX)
+    {
+      p5= mult(p5, p5, alloc);
+      overflow= TRUE;
+    }
   }
   if (p51)
     Bfree(p51, alloc);

No bundle (reason: useless for push emails).