From: Date: May 16 2007 12:47pm
Subject: bk commit into 5.0 tree (ramil:1.2457) BUG#28464
List-Archive: http://lists.mysql.com/commits/26805
X-Bug: 28464
Message-Id: <20070516104756.D052D3400079@ramil.myoffice.izhnet.ru>

Below is the list of changes that have just been committed into a local
5.0 repository of ram. When ram does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-05-16 15:47:52+05:00, ramil@stripped +3 -0
  Fix for bug #28464: a string argument to 'limit ?' PS - replication fails
  
  Problem: we may get syntactically incorrect queries in the binary log 
  if we use a string value user variable executing a PS which 
  contains '... limit ?' clause, e.g.
  prepare s from "select 1 limit ?"; 
  set @a='qwe'; 
  execute s using @a;
  
  Fix: raise an error in such cases.

  mysql-test/r/limit.result@stripped, 2007-05-16 15:47:51+05:00, ramil@stripped +11 -0
    Fix for bug #28464: a string argument to 'limit ?' PS - replication fails
      - test result.

  mysql-test/t/limit.test@stripped, 2007-05-16 15:47:51+05:00, ramil@stripped +17 -0
    Fix for bug #28464: a string argument to 'limit ?' PS - replication fails
      - test case.

  sql/sql_lex.cc@stripped, 2007-05-16 15:47:51+05:00, ramil@stripped +28 -4
    Fix for bug #28464: a string argument to 'limit ?' PS - replication fails
      - ensure sl->select_limit and sl->offset_limit are of Item::INT_ITEM type,
        raise an error otherwise.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	ramil
# Host:	ramil.myoffice.izhnet.ru
# Root:	/home/ram/work/b26842/b26842.5.0

--- 1.217/sql/sql_lex.cc	2007-05-16 15:47:56 +05:00
+++ 1.218/sql/sql_lex.cc	2007-05-16 15:47:56 +05:00
@@ -1970,13 +1970,37 @@ void st_select_lex_unit::set_limit(SELEC
   ha_rows select_limit_val;
 
   DBUG_ASSERT(! thd->stmt_arena->is_stmt_prepare());
-  select_limit_val= (ha_rows)(sl->select_limit ? sl->select_limit->val_uint() :
-                                                 HA_POS_ERROR);
-  offset_limit_cnt= (ha_rows)(sl->offset_limit ? sl->offset_limit->val_uint() :
-                                                 ULL(0));
+  
+  /*
+    As sl->select_limit and sl->offset_limit may be of Item_param
+    type we have to check it and raise an error if it's not
+    Item::INT_ITEM. For example, the following will return an error:
+    prepare s from "select 1 limit ?"; set @a='qwe'; execute s using @a;
+  */
+  if (sl->select_limit)
+  {
+    if (sl->select_limit->type() != Item::INT_ITEM)
+      goto error;
+    select_limit_val= sl->select_limit->val_uint();
+  }
+  else
+    select_limit_val= HA_POS_ERROR;
+  if (sl->offset_limit)
+  {
+    if (sl->offset_limit->type() != Item::INT_ITEM)
+      goto error;
+    offset_limit_cnt= sl->offset_limit->val_uint();
+  }
+  else
+    offset_limit_cnt= ULL(0);
+
   select_limit_cnt= select_limit_val + offset_limit_cnt;
   if (select_limit_cnt < select_limit_val)
     select_limit_cnt= HA_POS_ERROR;		// no limit
+  return;
+  
+error:
+  my_error(ER_WRONG_ARGUMENTS, MYF(0), "LIMIT");
 }
 
 

--- 1.11/mysql-test/r/limit.result	2007-05-16 15:47:56 +05:00
+++ 1.12/mysql-test/r/limit.result	2007-05-16 15:47:56 +05:00
@@ -91,3 +91,14 @@ select sum(a) c FROM t1 WHERE a > 0 ORDE
 c
 28
 drop table t1;
+prepare s from "select 1 limit ?";
+set @a='qwe';
+execute s using @a;
+ERROR HY000: Incorrect arguments to LIMIT
+prepare s from "select 1 limit 1, ?";
+execute s using @a;
+ERROR HY000: Incorrect arguments to LIMIT
+prepare s from "select 1 limit ?, ?";
+execute s using @a, @a;
+ERROR HY000: Incorrect arguments to LIMIT
+End of 5.0 tests

--- 1.13/mysql-test/t/limit.test	2007-05-16 15:47:56 +05:00
+++ 1.14/mysql-test/t/limit.test	2007-05-16 15:47:56 +05:00
@@ -71,3 +71,20 @@ explain select sum(a) c FROM t1 WHERE a 
 select sum(a) c FROM t1 WHERE a > 0 ORDER BY c LIMIT 3;
 drop table t1;
 # End of 4.1 tests
+
+#
+# Bug #28464: a string argument to 'limit ?' PS
+#
+
+prepare s from "select 1 limit ?"; 
+set @a='qwe'; 
+--error 1210
+execute s using @a;
+prepare s from "select 1 limit 1, ?";
+--error 1210
+execute s using @a;
+prepare s from "select 1 limit ?, ?";
+--error 1210
+execute s using @a, @a;
+
+--echo End of 5.0 tests