List:Commits« Previous MessageNext Message »
From:kgeorge Date:September 22 2007 11:10am
Subject:bk commit into 5.0 tree (gkodinov:1.2529) BUG#30587
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of kgeorge. When kgeorge does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-09-22 11:10:32+02:00, gkodinov@stripped +3 -0
  Bug #30587: mysql crashes when trying to group by TIME div NUMBER
  
  When calculating the result length of an integer DIV function 
  the number of decimals was used without checking the result type
  first. Thus an uninitialized number of decimals was used for some 
  types. This caused an excessive amount of memory to be allocated 
  for the field's buffer and crashed the server.
  
   
  Fixed by checking the result type of the argument before using the
  decimals field.

  mysql-test/r/func_math.result@stripped, 2007-09-22 11:10:24+02:00, gkodinov@stripped
+36 -0
    Bug #30587: test case

  mysql-test/t/func_math.test@stripped, 2007-09-22 11:10:24+02:00, gkodinov@stripped +25
-0
    Bug #30587: test case

  sql/item_func.cc@stripped, 2007-09-22 11:10:25+02:00, gkodinov@stripped +4 -1
    Bug #30587: Don't use decimals if not a type that has them

diff -Nrup a/mysql-test/r/func_math.result b/mysql-test/r/func_math.result
--- a/mysql-test/r/func_math.result	2007-04-28 18:00:59 +02:00
+++ b/mysql-test/r/func_math.result	2007-09-22 11:10:24 +02:00
@@ -322,4 +322,40 @@ mod(5, cast(-2 as unsigned))	mod(5, 1844
 select pow(cast(-2 as unsigned), 5), pow(18446744073709551614, 5), pow(-2, 5);
 pow(cast(-2 as unsigned), 5)	pow(18446744073709551614, 5)	pow(-2, 5)
 2.1359870359209e+96	2.1359870359209e+96	-32
+CREATE TABLE t1 (a timestamp);
+INSERT INTO t1 VALUES('1998-09-23'), ('2003-03-25');
+SELECT a DIV 900 b FROM t1 GROUP BY b;
+Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max
length	Is_null	Flags	Decimals	Charsetnr
+def				b	b	8	19	11	Y	32800	0	63
+b
+22201025555
+22255916666
+SELECT DISTINCT a DIV 900 b FROM t1;
+Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max
length	Is_null	Flags	Decimals	Charsetnr
+def				b	b	8	19	11	Y	32800	0	63
+b
+22201025555
+22255916666
+DROP TABLE t1;
+CREATE TABLE t1(a LONGBLOB);
+INSERT INTO t1 VALUES('1'),('2'),('3');
+SELECT DISTINCT (a DIV 254576881) FROM t1;
+(a DIV 254576881)
+0
+SELECT (a DIV 254576881) FROM t1 UNION ALL 
+SELECT (a DIV 254576881) FROM t1;
+(a DIV 254576881)
+0
+0
+0
+0
+0
+0
+DROP TABLE t1;
+CREATE TABLE t1(a SET('a','b','c'));
+INSERT INTO t1 VALUES ('a');
+SELECT a DIV 2 FROM t1 UNION SELECT a DIV 2 FROM t1;
+a DIV 2
+0
+DROP TABLE t1;
 End of 5.0 tests
diff -Nrup a/mysql-test/t/func_math.test b/mysql-test/t/func_math.test
--- a/mysql-test/t/func_math.test	2007-04-28 18:00:59 +02:00
+++ b/mysql-test/t/func_math.test	2007-09-22 11:10:24 +02:00
@@ -205,4 +205,29 @@ select mod(cast(-2 as unsigned), 3), mod
 select mod(5, cast(-2 as unsigned)), mod(5, 18446744073709551614), mod(5, -2);
 select pow(cast(-2 as unsigned), 5), pow(18446744073709551614, 5), pow(-2, 5);
 
+#
+# Bug #30587: mysql crashes when trying to group by TIME div NUMBER
+#
+
+CREATE TABLE t1 (a timestamp);
+INSERT INTO t1 VALUES('1998-09-23'), ('2003-03-25');
+--enable_metadata
+SELECT a DIV 900 b FROM t1 GROUP BY b;
+SELECT DISTINCT a DIV 900 b FROM t1;
+--disable_metadata
+DROP TABLE t1;
+
+CREATE TABLE t1(a LONGBLOB);
+INSERT INTO t1 VALUES('1'),('2'),('3');
+SELECT DISTINCT (a DIV 254576881) FROM t1;
+SELECT (a DIV 254576881) FROM t1 UNION ALL 
+  SELECT (a DIV 254576881) FROM t1;
+DROP TABLE t1;
+
+CREATE TABLE t1(a SET('a','b','c'));
+INSERT INTO t1 VALUES ('a');
+SELECT a DIV 2 FROM t1 UNION SELECT a DIV 2 FROM t1;
+DROP TABLE t1;
+
+
 --echo End of 5.0 tests
diff -Nrup a/sql/item_func.cc b/sql/item_func.cc
--- a/sql/item_func.cc	2007-08-03 18:59:12 +02:00
+++ b/sql/item_func.cc	2007-09-22 11:10:25 +02:00
@@ -1380,7 +1380,10 @@ longlong Item_func_int_div::val_int()
 
 void Item_func_int_div::fix_length_and_dec()
 {
-  max_length=args[0]->max_length - args[0]->decimals;
+  Item_result argtype= args[0]->result_type();
+  max_length=args[0]->max_length - 
+    (argtype == DECIMAL_RESULT || argtype == INT_RESULT ? 
+     args[0]->decimals : 0);
   maybe_null=1;
   unsigned_flag=args[0]->unsigned_flag | args[1]->unsigned_flag;
 }
Thread
bk commit into 5.0 tree (gkodinov:1.2529) BUG#30587kgeorge22 Sep