| List: | Commits | « Previous MessageNext Message » | |
| From: | Davi Arnaut | Date: | February 9 2009 7:18pm |
| Subject: | bzr commit into mysql-5.1-bugteam branch (davi:2794) Bug#42634 | ||
| View as plain text | |||
# At a local mysql-5.1-bugteam repository of davi
2794 Davi Arnaut 2009-02-09
Bug#42634: % character in query can cause mysqld signal 11 segfault
The problem is that a unfiltered user query was being passed as
the format string parameter of sql_print_warning which later
performs printf-like formatting, leading to crashes if the user
query contains formatting instructions (ie: %s). Also, it was
using THD::query as the source of the user query, but this
variable is not meaningful in some situations -- in a delayed
insert, it points to the table name.
The solution is to pass the user query as a parameter for the
format string and use the function parameter query_arg as the
source of the user query.
modified:
mysql-test/suite/binlog/r/binlog_unsafe.result
mysql-test/suite/binlog/t/binlog_unsafe.test
sql/sql_class.cc
per-file messages:
mysql-test/suite/binlog/r/binlog_unsafe.result
Add test case result for Bug#42634
mysql-test/suite/binlog/t/binlog_unsafe.test
Add test case for Bug#42634
sql/sql_class.cc
Don't pass the user query as a format string.
=== modified file 'mysql-test/suite/binlog/r/binlog_unsafe.result'
--- a/mysql-test/suite/binlog/r/binlog_unsafe.result 2008-04-03 09:50:43 +0000
+++ b/mysql-test/suite/binlog/r/binlog_unsafe.result 2009-02-09 18:17:58 +0000
@@ -220,3 +220,10 @@ Warning 1592 Statement is not safe to lo
Warning 1592 Statement is not safe to log in statement format.
DROP PROCEDURE p1;
DROP TABLE t1;
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100));
+INSERT INTO t1 VALUES ('a','b');
+UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1;
+Warnings:
+Warning 1592 Statement is not safe to log in statement format.
+DROP TABLE t1;
=== modified file 'mysql-test/suite/binlog/t/binlog_unsafe.test'
--- a/mysql-test/suite/binlog/t/binlog_unsafe.test 2008-04-03 09:50:43 +0000
+++ b/mysql-test/suite/binlog/t/binlog_unsafe.test 2009-02-09 18:17:58 +0000
@@ -257,3 +257,17 @@ delimiter ;|
CALL p1();
DROP PROCEDURE p1;
DROP TABLE t1;
+
+#
+# Bug#42634: % character in query can cause mysqld signal 11 segfault
+#
+
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+--enable_warnings
+
+CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100));
+INSERT INTO t1 VALUES ('a','b');
+UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1;
+DROP TABLE t1;
+
=== modified file 'sql/sql_class.cc'
--- a/sql/sql_class.cc 2009-02-06 09:53:20 +0000
+++ b/sql/sql_class.cc 2009-02-09 18:17:58 +0000
@@ -3660,16 +3660,14 @@ int THD::binlog_query(THD::enum_binlog_q
if (lex->is_stmt_unsafe() &&
variables.binlog_format == BINLOG_FORMAT_STMT)
{
- DBUG_ASSERT(this->query != NULL);
push_warning(this, MYSQL_ERROR::WARN_LEVEL_WARN,
ER_BINLOG_UNSAFE_STATEMENT,
ER(ER_BINLOG_UNSAFE_STATEMENT));
if (!(binlog_flags & BINLOG_FLAG_UNSAFE_STMT_PRINTED))
{
- char warn_buf[MYSQL_ERRMSG_SIZE];
- my_snprintf(warn_buf, MYSQL_ERRMSG_SIZE, "%s Statement: %s",
- ER(ER_BINLOG_UNSAFE_STATEMENT), this->query);
- sql_print_warning(warn_buf);
+ sql_print_warning("%s Statement: %.*s",
+ ER(ER_BINLOG_UNSAFE_STATEMENT),
+ MYSQL_ERRMSG_SIZE, query_arg);
binlog_flags|= BINLOG_FLAG_UNSAFE_STMT_PRINTED;
}
}
| Thread | ||
|---|---|---|
| • bzr commit into mysql-5.1-bugteam branch (davi:2794) Bug#42634 | Davi Arnaut | 9 Feb 2009 |
© 1995-2008 MySQL AB, 2008-2009 Sun Microsystems, Inc.
Page generated in 0.109 sec. using MySQL 5.1.14-beta-log