Below is the list of changes that have just been committed into a local
5.1 repository of kgeorge. When kgeorge does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
ChangeSet@stripped, 2007-03-21 12:10:37+02:00, gkodinov@stripped +3 -0
Bug #26303:
The String::qs_append() function will append a string
without checking if there's enough space.
So qs_append() must be called beforehand to ensure
there's enough space in the buffer for the subsequent
qs_append() calls.
Fixed Item_case_expr::print() to make sure there's
enough space before appending data:
1. Defined the possible max digits in an INT
2. added a call to String::reserve() to
make sure qs_append will have enough space
mysql-test/r/case.result@stripped, 2007-03-21 12:10:34+02:00, gkodinov@stripped +5 -0
Bug #26303: test covering the modified code
mysql-test/t/case.test@stripped, 2007-03-21 12:10:34+02:00, gkodinov@stripped +5 -0
Bug #26303: test covering the modified code
sql/item.cc@stripped, 2007-03-21 12:10:34+02:00, gkodinov@stripped +11 -0
Bug #26303:
1. Defined the possible max digits in an INT
2. added a call to String::reserve() to
make sure qs_append will have enough space
# This is a BitKeeper patch. What follows are the unified diffs for the
# set of deltas contained in the patch. The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User: gkodinov
# Host: magare.gmz
# Root: /home/kgeorge/mysql/work/B26303-5.1-opt
--- 1.255/sql/item.cc 2007-03-14 16:42:50 +02:00
+++ 1.256/sql/item.cc 2007-03-21 12:10:34 +02:00
@@ -25,6 +25,13 @@
#include "sql_trigger.h"
#include "sql_select.h"
+/*
+ maximum printed length of an int =
+ number of bytes * digits per byte (255 is the max byte val) +
+ space for the sign
+*/
+#define MAX_DIGITS_IN_INT (SIZEOF_INT * 3 + 1)
+
const String my_null_string("NULL", 4, default_charset_info);
/****************************************************************************/
@@ -1092,6 +1099,8 @@ Item_case_expr::Item_case_expr(int case_
:Item_sp_variable( C_STRING_WITH_LEN("case_expr")),
m_case_expr_id(case_expr_id)
{
+ /* case_expr_id is really unsigned */
+ DBUG_ASSERT(case_expr_id >= 0);
}
@@ -1125,6 +1134,8 @@ Item_case_expr::this_item_addr(THD *thd,
void Item_case_expr::print(String *str)
{
+ if (str->reserve(MAX_DIGITS_IN_INT + sizeof("case_expr@")))
+ return; /* purecov: inspected */
VOID(str->append(STRING_WITH_LEN("case_expr@")));
str->qs_append(m_case_expr_id);
}
--- 1.32/mysql-test/r/case.result 2006-09-13 14:19:53 +03:00
+++ 1.33/mysql-test/r/case.result 2007-03-21 12:10:34 +02:00
@@ -200,3 +200,8 @@ CEMPNUM EMPMUM1 EMPNUM2
0.00 0 0.00
2.00 2 NULL
DROP TABLE t1,t2;
+EXPLAIN EXTENDED SELECT CASE 12 WHEN 12 THEN 12 ELSE 11 END;
+id select_type table type possible_keys key key_len ref rows filtered Extra
+1 SIMPLE NULL NULL NULL NULL NULL NULL NULL NULL No tables used
+Warnings:
+Note 1003 select (case 12 when 12 then 12 else 11 end) AS `CASE 12 WHEN 12 THEN 12 ELSE 11 END`
--- 1.22/mysql-test/t/case.test 2006-09-13 14:19:53 +03:00
+++ 1.23/mysql-test/t/case.test 2007-03-21 12:10:34 +02:00
@@ -153,3 +153,8 @@ SELECT IFNULL(t2.EMPNUM,t1.EMPNUM) AS CE
DROP TABLE t1,t2;
# End of 4.1 tests
+
+#
+# Bug #26303: buffer overflow? reserve() not called before qs_append()
+#
+EXPLAIN EXTENDED SELECT CASE 12 WHEN 12 THEN 12 ELSE 11 END;
| Thread |
|---|
| • bk commit into 5.1 tree (gkodinov:1.2506) BUG#26303 | kgeorge | 21 Mar |
