List:Commits« Previous MessageNext Message »
From:Tatiana A. Nurnberg Date:November 4 2008 8:11am
Subject:bzr commit into mysql-6.0 branch (azundris:2886) Bug#39591
View as plain text  
#At file:///misc/mysql/forest/39591/60-39591/

 2886 Tatiana A. Nurnberg	2008-11-04
      Bug#39591 - Crash if table comment is longer than 62 characters
      
      Maximum length for TABLE..COMMENT changed between 5.1 and 6.0; code adjusted.
modified:
  include/mysql_com.h
  sql/unireg.cc

per-file messages:
  include/mysql_com.h
    Add a #define for maximum length of (inlined) TABLE..COMMENTS
    for enhanced clarity. It's only used in unireg.cc for now but
    still goes with like constants.
  sql/unireg.cc
    TABLE..COMMENT had a maximum of 60 characters (+ terminator) in 5.1;
    it's 2048 now (in extra segment), or 180+1 one (inline). We're fixing
    the latter case so comments in the 80..180 range now longer result in
    a negative length argument (61 - comment.length) to memset.
=== modified file 'include/mysql_com.h'
--- a/include/mysql_com.h	2008-09-16 08:34:30 +0000
+++ b/include/mysql_com.h	2008-11-04 08:10:49 +0000
@@ -33,6 +33,7 @@
 /*
   Maximum length of comments
 */
+#define TABLE_COMMENT_INLINE_MAXLEN 180 /* pre 6.0: 60 characters */
 #define TABLE_COMMENT_MAXLEN 2048
 #define COLUMN_COMMENT_MAXLEN 1024
 #define INDEX_COMMENT_MAXLEN 1024

=== modified file 'sql/unireg.cc'
--- a/sql/unireg.cc	2008-07-24 11:33:35 +0000
+++ b/sql/unireg.cc	2008-11-04 08:10:49 +0000
@@ -219,8 +219,12 @@ bool mysql_create_frm(THD *thd, const ch
     create_info->comment.length= tmp_len;
   }
 
-  //if table comment is larger than 180 bytes, store into extra segment.
-  if (create_info->comment.length > 180)
+  /*
+    If table comment is longer than TABLE_COMMENT_INLINE_MAXLEN bytes,
+    store the comment in an extra segment (up to TABLE_COMMENT_MAXLEN bytes).
+    Pre 6.0, the limit was 60 characters, with no extra segment-handling.
+  */
+  if (create_info->comment.length > TABLE_COMMENT_INLINE_MAXLEN)
   {
     forminfo[46]=255;
     create_info->extra_size+= 2 + create_info->comment.length;
@@ -235,7 +239,8 @@ bool mysql_create_frm(THD *thd, const ch
       payload with a magic value to detect wrong buffer-sizes. We
       explicitly zero that segment again.
     */
-    memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]);
+    memset((char*) forminfo+47 + forminfo[46], 0,
+           TABLE_COMMENT_INLINE_MAXLEN + 1 - forminfo[46]);
 #endif
   }
Thread
bzr commit into mysql-6.0 branch (azundris:2886) Bug#39591Tatiana A. Nurnberg4 Nov