From: Date: July 25 2006 9:09pm Subject: bk commit into 5.0 tree (kroki:1.2241) BUG#21206 List-Archive: http://lists.mysql.com/commits/9546 X-Bug: 21206 Message-Id: <200607251909.k6PJ9DEZ010593@moonlight.intranet> Below is the list of changes that have just been committed into a local 5.0 repository of tomash. When tomash does a push these changes will be propagated to the main repository and, within 24 hours after the push, to the public repository. For information on how to access the public repository see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html ChangeSet@stripped, 2006-07-25 23:09:08+04:00, kroki@stripped +2 -0 BUG#21206: memory corruption when too many prepared statements are opened at once The cause of a bug was that random memory was overwritten in bitmap_set_next() due to out-of-bound memory access. No test case is provided for the reasons: - In SQL, when you reuse prepared statement, the previous one is freed - We could write a testcase in C, but crash is not guaranteed - Looking to the patch, I doubt the fix requires a test case at all. mysys/my_bitmap.c@stripped, 2006-07-25 23:09:05+04:00, kroki@stripped +2 -2 Local 'bitmap_size' is measured in bytes, no need to multiply in to 8. sql/sql_select.cc@stripped, 2006-07-25 23:09:05+04:00, kroki@stripped +8 -4 Reset the bit only if we set it previously. # This is a BitKeeper patch. What follows are the unified diffs for the # set of deltas contained in the patch. The rest of the patch, the part # that BitKeeper cares about, is below these diffs. # User: kroki # Host: moonlight.intranet # Root: /home/tomash/src/mysql_ab/mysql-5.0-bug21206 --- 1.429/sql/sql_select.cc 2006-07-25 23:09:16 +04:00 +++ 1.430/sql/sql_select.cc 2006-07-25 23:09:16 +04:00 @@ -8414,13 +8414,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA param->group_length : 0, NullS)) { - bitmap_clear_bit(&temp_pool, temp_pool_slot); + if (temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, temp_pool_slot); DBUG_RETURN(NULL); /* purecov: inspected */ } /* Copy_field belongs to TMP_TABLE_PARAM, allocate it in THD mem_root */ if (!(param->copy_field= copy= new (thd->mem_root) Copy_field[field_count])) { - bitmap_clear_bit(&temp_pool, temp_pool_slot); + if (temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, temp_pool_slot); free_root(&own_root, MYF(0)); /* purecov: inspected */ DBUG_RETURN(NULL); /* purecov: inspected */ } @@ -8944,7 +8946,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA err: thd->mem_root= mem_root_save; free_tmp_table(thd,table); /* purecov: inspected */ - bitmap_clear_bit(&temp_pool, temp_pool_slot); + if (temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, temp_pool_slot); DBUG_RETURN(NULL); /* purecov: inspected */ } @@ -9232,7 +9235,8 @@ free_tmp_table(THD *thd, TABLE *entry) (*ptr)->free(); free_io_cache(entry); - bitmap_clear_bit(&temp_pool, entry->temp_pool_slot); + if (entry->temp_pool_slot != MY_BIT_NONE) + bitmap_clear_bit(&temp_pool, entry->temp_pool_slot); free_root(&own_root, MYF(0)); /* the table is allocated in its own root */ thd->proc_info=save_proc_info; --- 1.30/mysys/my_bitmap.c 2006-07-25 23:09:16 +04:00 +++ 1.31/mysys/my_bitmap.c 2006-07-25 23:09:16 +04:00 @@ -159,7 +159,7 @@ uint bitmap_set_next(MY_BITMAP *map) { uchar *bitmap=map->bitmap; uint bit_found = MY_BIT_NONE; - uint bitmap_size=map->bitmap_size*8; + uint bitmap_size=map->bitmap_size; uint i; DBUG_ASSERT(map->bitmap); @@ -445,7 +445,7 @@ uint bitmap_get_first(const MY_BITMAP *m { uchar *bitmap=map->bitmap; uint bit_found = MY_BIT_NONE; - uint bitmap_size=map->bitmap_size*8; + uint bitmap_size=map->bitmap_size; uint i; DBUG_ASSERT(map->bitmap);