List:Commits« Previous MessageNext Message »
From:Davi Arnaut Date:February 9 2009 11:58am
Subject:bzr commit into mysql-5.1-bugteam branch (davi:2793) Bug#42634
View as plain text  
# At a local mysql-5.1-bugteam repository of davi

 2793 Davi Arnaut	2009-02-09
      Bug#42634: % character in query can cause mysqld signal 11
      segfault
      
      The problem is that a unfiltered user query was being passed as
      the format string parameter of sql_print_warning which later
      performs printf-like formatting, leading to crashes if the
      user query contains formatting instructions (ie: %s). Also, it
      was using THD::query as the source of the user query, but this
      variable is not meaningful in some situations -- in a delayed
      insert, it points to the table name.
      
      The solution is to pass the user query as a parameter for the
      format string and use the function parameter query_arg as the
      source of the user query.
modified:
  mysql-test/suite/binlog/r/binlog_unsafe.result
  mysql-test/suite/binlog/t/binlog_unsafe.test
  sql/sql_class.cc

per-file messages:
  mysql-test/suite/binlog/r/binlog_unsafe.result
    Add test case result for Bug#42634
  mysql-test/suite/binlog/t/binlog_unsafe.test
    Add test case for Bug#42634
  sql/sql_class.cc
    Don't pass the user query as a format string.
=== modified file 'mysql-test/suite/binlog/r/binlog_unsafe.result'
--- a/mysql-test/suite/binlog/r/binlog_unsafe.result	2008-04-03 09:50:43 +0000
+++ b/mysql-test/suite/binlog/r/binlog_unsafe.result	2009-02-09 11:58:32 +0000
@@ -220,3 +220,10 @@ Warning	1592	Statement is not safe to lo
 Warning	1592	Statement is not safe to log in statement format.
 DROP PROCEDURE p1;
 DROP TABLE t1;
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100));
+INSERT INTO t1 VALUES ('a','b');
+UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1;
+Warnings:
+Warning	1592	Statement is not safe to log in statement format.
+DROP TABLE t1;

=== modified file 'mysql-test/suite/binlog/t/binlog_unsafe.test'
--- a/mysql-test/suite/binlog/t/binlog_unsafe.test	2008-04-03 09:50:43 +0000
+++ b/mysql-test/suite/binlog/t/binlog_unsafe.test	2009-02-09 11:58:32 +0000
@@ -257,3 +257,17 @@ delimiter ;|
 CALL p1();
 DROP PROCEDURE p1;
 DROP TABLE t1;
+
+#
+# Bug#42634: % character in query can cause mysqld signal 11 segfault
+#
+
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+--enable_warnings
+
+CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100));
+INSERT INTO t1 VALUES ('a','b');
+UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1;
+DROP TABLE t1;
+

=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc	2009-02-06 09:53:20 +0000
+++ b/sql/sql_class.cc	2009-02-09 11:58:32 +0000
@@ -3660,16 +3660,15 @@ int THD::binlog_query(THD::enum_binlog_q
   if (lex->is_stmt_unsafe() &&
       variables.binlog_format == BINLOG_FORMAT_STMT)
   {
-    DBUG_ASSERT(this->query != NULL);
     push_warning(this, MYSQL_ERROR::WARN_LEVEL_WARN,
                  ER_BINLOG_UNSAFE_STATEMENT,
                  ER(ER_BINLOG_UNSAFE_STATEMENT));
     if (!(binlog_flags & BINLOG_FLAG_UNSAFE_STMT_PRINTED))
     {
-      char warn_buf[MYSQL_ERRMSG_SIZE];
-      my_snprintf(warn_buf, MYSQL_ERRMSG_SIZE, "%s Statement: %s",
-                  ER(ER_BINLOG_UNSAFE_STATEMENT), this->query);
-      sql_print_warning(warn_buf);
+      sql_print_warning("%s Statement: %.*s",
+                        ER(ER_BINLOG_UNSAFE_STATEMENT),
+                        (query_len > MYSQL_ERRMSG_SIZE) ?
+                        MYSQL_ERRMSG_SIZE : (int) query_len, query_arg);
       binlog_flags|= BINLOG_FLAG_UNSAFE_STMT_PRINTED;
     }
   }

Thread
bzr commit into mysql-5.1-bugteam branch (davi:2793) Bug#42634Davi Arnaut9 Feb
  • Re: bzr commit into mysql-5.1-bugteam branch (davi:2793) Bug#42634Sergei Golubchik9 Feb