3026 Alexey Kopytov 2009-02-05 [merge]
Manual merge mysql-5.1-bugteam -> mysql-6.0-bugteam.
modified:
client/sql_string.cc
mysql-test/r/func_str.result
mysql-test/t/func_str.test
sql/protocol.cc
sql/sql_string.cc
3025 Sergey Glukhov 2009-02-05 [merge]
automerge
modified:
mysql-test/extra/rpl_tests/rpl_extraMaster_Col.test
mysql-test/include/ps_modify.inc
mysql-test/r/auto_increment.result
mysql-test/r/csv_not_null.result
mysql-test/r/null.result
mysql-test/r/ps_2myisam.result
mysql-test/r/ps_3innodb.result
mysql-test/r/ps_4heap.result
mysql-test/r/ps_5merge.result
mysql-test/r/warnings.result
mysql-test/suite/ndb/r/ps_7ndb.result
mysql-test/suite/rpl/r/rpl_extraColmaster_falcon.result
mysql-test/suite/rpl/r/rpl_extraColmaster_innodb.result
mysql-test/suite/rpl/r/rpl_extraColmaster_myisam.result
mysql-test/suite/rpl/t/rpl_err_ignoredtable.test
mysql-test/t/auto_increment.test
mysql-test/t/csv_not_null.test
mysql-test/t/null.test
mysql-test/t/warnings.test
sql/sql_select.cc
sql/sql_select.h
sql/sql_update.cc
=== modified file 'client/sql_string.cc'
--- a/client/sql_string.cc 2008-05-22 18:40:15 +0000
+++ b/client/sql_string.cc 2009-02-05 13:00:14 +0000
@@ -73,26 +73,26 @@ bool String::realloc(uint32 alloc_length
if (alloced)
{
if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
- {
- Ptr=new_ptr;
- Alloced_length=len;
- }
+ new_ptr[alloc_length]= 0;
else
- return TRUE; // Signal error
+ return TRUE; // Signal error
}
else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
{
+ if (str_length > len - 1)
+ str_length= 0;
if (str_length) // Avoid bugs in memcpy on AIX
- memcpy(new_ptr,Ptr,str_length);
- new_ptr[str_length]=0;
- Ptr=new_ptr;
- Alloced_length=len;
+ memcpy(new_ptr, Ptr, str_length);
+ new_ptr[str_length]= 0;
alloced=1;
}
else
return TRUE; // Signal error
+ Ptr= new_ptr;
+ Alloced_length= len;
}
- Ptr[alloc_length]=0; // This make other funcs shorter
+ else
+ Ptr[alloc_length]= 0;
return FALSE;
}
=== modified file 'mysql-test/r/func_str.result'
--- a/mysql-test/r/func_str.result 2009-01-06 10:38:47 +0000
+++ b/mysql-test/r/func_str.result 2009-02-05 13:00:14 +0000
@@ -2522,4 +2522,10 @@ def format(a, 2) 253 49 4 Y 0 31 8
format(a, 2)
1.33
drop table t1;
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+h i
+31.12.2008 AAAAAA, aaaaaa
+DROP TABLE t1;
End of 5.0 tests
=== modified file 'mysql-test/t/func_str.test'
--- a/mysql-test/t/func_str.test 2008-12-09 11:16:39 +0000
+++ b/mysql-test/t/func_str.test 2009-02-05 12:49:59 +0000
@@ -1273,4 +1273,13 @@ select format(a, 2) from t1;
--disable_metadata
drop table t1;
+#
+# Bug #41868: crash or memory overrun with concat + upper, date_format functions
+#
+
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+DROP TABLE t1;
+
--echo End of 5.0 tests
=== modified file 'sql/protocol.cc'
--- a/sql/protocol.cc 2009-01-13 15:26:20 +0000
+++ b/sql/protocol.cc 2009-02-05 13:00:14 +0000
@@ -807,6 +807,11 @@ bool Protocol::send_result_set_row(List<
my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
DBUG_RETURN(TRUE);
}
+ /*
+ Reset str_buffer to its original state, as it may have been altered in
+ Item::send().
+ */
+ str_buffer.set(buffer, sizeof(buffer), &my_charset_bin);
}
DBUG_RETURN(FALSE);
=== modified file 'sql/sql_string.cc'
--- a/sql/sql_string.cc 2008-08-18 05:43:50 +0000
+++ b/sql/sql_string.cc 2009-02-05 13:00:14 +0000
@@ -73,26 +73,26 @@ bool String::realloc(uint32 alloc_length
if (alloced)
{
if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
- {
- Ptr=new_ptr;
- Alloced_length=len;
- }
+ new_ptr[alloc_length]= 0;
else
- return TRUE; // Signal error
+ return TRUE; // Signal error
}
else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
{
+ if (str_length > len - 1)
+ str_length= 0;
if (str_length) // Avoid bugs in memcpy on AIX
- memcpy(new_ptr,Ptr,str_length);
- new_ptr[str_length]=0;
- Ptr=new_ptr;
- Alloced_length=len;
+ memcpy(new_ptr, Ptr, str_length);
+ new_ptr[str_length]= 0;
alloced=1;
}
else
return TRUE; // Signal error
+ Ptr= new_ptr;
+ Alloced_length= len;
}
- Ptr[alloc_length]=0; // This make other funcs shorter
+ else
+ Ptr[alloc_length]= 0;
return FALSE;
}
| Thread |
|---|
| • bzr push into mysql-6.0-bugteam branch (Alexey.Kopytov:3025 to 3026) | Alexey Kopytov | 5 Feb |
