| List: | Commits | « Previous MessageNext Message » | |
| From: | eugene | Date: | January 18 2007 6:10pm |
| Subject: | bk commit into 5.0 tree (evgen:1.2385) BUG#25172 | ||
| View as plain text | |||
Below is the list of changes that have just been committed into a local 5.0 repository of evgen. When evgen does a push these changes will be propagated to the main repository and, within 24 hours after the push, to the public repository. For information on how to access the public repository see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html ChangeSet@stripped, 2007-01-18 20:10:06+03:00, evgen@stripped +8 -0 Bug#25172: Not checked buffer size leads to a server crash. After fix for bug#21798 JOIN stores the pointer to the buffer for sorting fields. It is used while sorting for grouping and for ordering. If ORDER BY clause has more elements then the GROUP BY clause then a memory overrun occurs. Now join stores the size of the allocated buffer and allocates new if needed. mysql-test/r/select.result@stripped, 2007-01-18 20:08:08+03:00, evgen@stripped +8 -0 Added a test case for bug#25172: Not checked buffer size leads to a server crash. mysql-test/t/select.test@stripped, 2007-01-18 20:07:56+03:00, evgen@stripped +11 -0 Added a test case for bug#25172: Not checked buffer size leads to a server crash. sql/mysql_priv.h@stripped, 2007-01-18 20:09:39+03:00, evgen@stripped +2 -1 Bug#25172: Not checked buffer size leads to a server crash. Changed the prototype of the make_unireg_sortorder() function. sql/sql_delete.cc@stripped, 2007-01-18 20:09:29+03:00, evgen@stripped +1 -1 Bug#25172: Not checked buffer size leads to a server crash. Changed call to the make_unireg_sortorder() function. sql/sql_select.cc@stripped, 2007-01-18 20:09:20+03:00, evgen@stripped +10 -3 Bug#25172: Not checked buffer size leads to a server crash. Now join stores the size of the allocated buffer and allocates new if needed. sql/sql_select.h@stripped, 2007-01-18 20:09:03+03:00, evgen@stripped +2 -0 Bug#25172: Not checked buffer size leads to a server crash. JOIN now additionally contains size of the buffr allocated for sort fields. sql/sql_table.cc@stripped, 2007-01-18 20:08:39+03:00, evgen@stripped +1 -1 Bug#25172: Not checked buffer size leads to a server crash. Changed call to the make_unireg_sortorder() function. sql/sql_update.cc@stripped, 2007-01-18 20:08:10+03:00, evgen@stripped +1 -1 Bug#25172: Not checked buffer size leads to a server crash. Changed call to the make_unireg_sortorder() function. # This is a BitKeeper patch. What follows are the unified diffs for the # set of deltas contained in the patch. The rest of the patch, the part # that BitKeeper cares about, is below these diffs. # User: evgen # Host: moonbone.local # Root: /mnt/gentoo64/work/25172-bug-5.0-opt-mysql --- 1.428/sql/mysql_priv.h 2007-01-11 23:17:39 +03:00 +++ 1.429/sql/mysql_priv.h 2007-01-18 20:09:39 +03:00 @@ -733,7 +733,8 @@ bool check_simple_select(); SORT_FIELD * make_unireg_sortorder(ORDER *order, uint *length, - SORT_FIELD *sortorder); + SORT_FIELD *sortorder, + uint *sortorder_count); int setup_order(THD *thd, Item **ref_pointer_array, TABLE_LIST *tables, List<Item> &fields, List <Item> &all_fields, ORDER *order); int setup_group(THD *thd, Item **ref_pointer_array, TABLE_LIST *tables, --- 1.189/sql/sql_delete.cc 2007-01-12 16:40:31 +03:00 +++ 1.190/sql/sql_delete.cc 2007-01-18 20:09:29 +03:00 @@ -171,7 +171,7 @@ MYF(MY_FAE | MY_ZEROFILL)); if (!(sortorder= make_unireg_sortorder((ORDER*) order->first, - &length, NULL)) || + &length, NULL, 0)) || (table->sort.found_records = filesort(thd, table, sortorder, length, select, HA_POS_ERROR, &examined_rows)) --- 1.480/sql/sql_select.cc 2007-01-15 22:40:19 +03:00 +++ 1.481/sql/sql_select.cc 2007-01-18 20:09:20 +03:00 @@ -12284,7 +12284,8 @@ test_if_skip_sort_order(tab,order,select_limit,0)) DBUG_RETURN(0); if (!(join->sortorder= - make_unireg_sortorder(order,&length,join->sortorder))) + make_unireg_sortorder(order, &length, join->sortorder, + &join->sortorder_count))) goto err; /* purecov: inspected */ table->sort.io_cache=(IO_CACHE*) my_malloc(sizeof(IO_CACHE), @@ -12680,7 +12681,7 @@ SORT_FIELD *make_unireg_sortorder(ORDER *order, uint *length, - SORT_FIELD *sortorder) + SORT_FIELD *sortorder, uint *sortorder_count) { uint count; SORT_FIELD *sort,*pos; @@ -12691,7 +12692,13 @@ count++; if (!sortorder) sortorder= (SORT_FIELD*) sql_alloc(sizeof(SORT_FIELD)*(count+1)); - pos=sort=sortorder; + else if (sortorder_count && count > *sortorder_count) + sortorder= (SORT_FIELD*) sql_alloc(sizeof(SORT_FIELD)*(count+1)); + + pos= sort= sortorder; + if (sortorder_count) + *sortorder_count= count; + if (!pos) return 0; --- 1.114/sql/sql_select.h 2006-12-30 23:02:07 +03:00 +++ 1.115/sql/sql_select.h 2007-01-18 20:09:03 +03:00 @@ -291,6 +291,7 @@ excessive memory usage. */ SORT_FIELD *sortorder; // make_unireg_sortorder() + uint sortorder_count; TABLE **table_reexec; // make_simple_join() JOIN_TAB *join_tab_reexec; // make_simple_join() /* end of allocation caching storage */ @@ -321,6 +322,7 @@ exec_tmp_table1= 0; exec_tmp_table2= 0; sortorder= 0; + sortorder_count= 0; table_reexec= 0; join_tab_reexec= 0; thd= thd_arg; --- 1.329/sql/sql_table.cc 2006-12-23 22:04:27 +03:00 +++ 1.330/sql/sql_table.cc 2007-01-18 20:08:39 +03:00 @@ -3964,7 +3964,7 @@ if (thd->lex->select_lex.setup_ref_array(thd, order_num) || setup_order(thd, thd->lex->select_lex.ref_pointer_array, &tables, fields, all_fields, order) || - !(sortorder=make_unireg_sortorder(order, &length, NULL)) || + !(sortorder=make_unireg_sortorder(order, &length, NULL, 0)) || (from->sort.found_records = filesort(thd, from, sortorder, length, (SQL_SELECT *) 0, HA_POS_ERROR, &examined_rows)) == --- 1.207/sql/sql_update.cc 2006-12-30 23:02:07 +03:00 +++ 1.208/sql/sql_update.cc 2007-01-18 20:08:10 +03:00 @@ -310,7 +310,7 @@ table->sort.io_cache = (IO_CACHE *) my_malloc(sizeof(IO_CACHE), MYF(MY_FAE | MY_ZEROFILL)); - if (!(sortorder=make_unireg_sortorder(order, &length, NULL)) || + if (!(sortorder=make_unireg_sortorder(order, &length, NULL, 0)) || (table->sort.found_records = filesort(thd, table, sortorder, length, select, limit, &examined_rows)) --- 1.143/mysql-test/r/select.result 2006-10-19 16:37:44 +04:00 +++ 1.144/mysql-test/r/select.result 2007-01-18 20:08:08 +03:00 @@ -3611,3 +3611,11 @@ 1 SIMPLE t2 range si,ai si 5 NULL 2 Using where 1 SIMPLE t3 eq_ref PRIMARY,ci PRIMARY 4 test.t2.a 1 Using where DROP TABLE t1,t2,t3; +CREATE TABLE t1 ( f1 int primary key, f2 int, f3 int, f4 int, f5 int, f6 int, checked_out int); +CREATE TABLE t2 ( f11 int PRIMARY KEY ); +INSERT INTO t1 VALUES (1,1,1,0,0,0,0),(2,1,1,3,8,1,0),(3,1,1,4,12,1,0); +INSERT INTO t2 VALUES (62); +SELECT * FROM t1 LEFT JOIN t2 ON f11 = t1.checked_out GROUP BY f1 ORDER BY f2, f3, f4, f5 LIMIT 0, 1; +f1 f2 f3 f4 f5 f6 checked_out f11 +1 1 1 0 0 0 0 NULL +DROP TABLE t1, t2; --- 1.117/mysql-test/t/select.test 2006-11-20 23:41:41 +03:00 +++ 1.118/mysql-test/t/select.test 2007-01-18 20:07:56 +03:00 @@ -3092,3 +3092,14 @@ t3.c IN ('bb','ee'); DROP TABLE t1,t2,t3; + +# +# Bug#25172: Not checked buffer size leads to a server crash +# +CREATE TABLE t1 ( f1 int primary key, f2 int, f3 int, f4 int, f5 int, f6 int, checked_out int); +CREATE TABLE t2 ( f11 int PRIMARY KEY ); +INSERT INTO t1 VALUES (1,1,1,0,0,0,0),(2,1,1,3,8,1,0),(3,1,1,4,12,1,0); +INSERT INTO t2 VALUES (62); +SELECT * FROM t1 LEFT JOIN t2 ON f11 = t1.checked_out GROUP BY f1 ORDER BY f2, f3, f4, f5 LIMIT 0, 1; +DROP TABLE t1, t2; +
| Thread | ||
|---|---|---|
| • bk commit into 5.0 tree (evgen:1.2385) BUG#25172 | eugene | 18 Jan |
© 1995-2008 MySQL AB, 2008-2009 Sun Microsystems, Inc.
Page generated in 0.041 sec. using MySQL 5.1.14-beta-log