MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:Davi Arnaut Date:April 30 2010 12:24am
Subject:bzr push into mysql-pe branch (davi:4048 to 4049)
View as plain text  
 4049 Davi Arnaut	2010-04-29 [merge]
      Manual merge.

    modified:
      include/mysql_com.h
      mysql-test/r/trigger.result
      mysql-test/t/trigger.test
      sql/net_serv.cc
      sql/sp_head.cc
      sql/sp_head.h
      sql/sql_connect.cc
      sql/sql_lex.cc
 4048 Ramil Kalimullin	2010-04-29 [merge]
      Auto-merge.

    modified:
      sql/sql_parse.cc
=== modified file 'include/mysql_com.h'
--- a/include/mysql_com.h	2010-02-21 18:25:29 +0000
+++ b/include/mysql_com.h	2010-04-30 00:14:07 +0000
@@ -309,6 +309,16 @@ typedef struct st_net {
   /** Client library sqlstate buffer. Set along with the error message. */
   char sqlstate[SQLSTATE_LENGTH+1];
   void *extension;
+#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
+  /*
+    Controls whether a big packet should be skipped.
+
+    Initially set to FALSE by default. Unauthenticated sessions must have
+    this set to FALSE so that the server can't be tricked to read packets
+    indefinitely.
+  */
+  my_bool skip_big_packet;
+#endif
 } NET;
 
 

=== modified file 'mysql-test/r/trigger.result'
--- a/mysql-test/r/trigger.result	2010-04-01 11:42:40 +0000
+++ b/mysql-test/r/trigger.result	2010-04-30 00:14:07 +0000
@@ -2128,6 +2128,27 @@ Warning	1048	Column 'id' cannot be null
 Warning	1048	Column 'id' cannot be null
 DROP TRIGGER t1_bu;
 DROP TABLE t1,t2;
+#
+# Bug#50755: Crash if stored routine def contains version comments
+#
+DROP DATABASE IF EXISTS db1;
+DROP TRIGGER IF EXISTS trg1;
+DROP TABLE IF EXISTS t1, t2;
+CREATE DATABASE db1;
+USE db1;
+CREATE TABLE t1 (b INT);
+CREATE TABLE t2 (a INT);
+CREATE TRIGGER trg1 BEFORE INSERT ON t2 FOR EACH ROW INSERT/*!INTO*/t1 VALUES (1);
+# Used to crash
+SHOW TRIGGERS IN db1;
+Trigger	Event	Table	Statement	Timing	Created	sql_mode	Definer	character_set_client	collation_connection	Database Collation
+INSERT INTO t2 VALUES (1);
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES (1)' at line 1
+SELECT * FROM t1;
+b
+# Work around Bug#45235
+DROP DATABASE db1;
+USE test;
 End of 5.1 tests.
 DROP TRIGGER IF EXISTS trg1;
 DROP TABLE IF EXISTS t1;

=== modified file 'mysql-test/t/trigger.test'
--- a/mysql-test/t/trigger.test	2010-04-01 11:42:40 +0000
+++ b/mysql-test/t/trigger.test	2010-04-30 00:14:07 +0000
@@ -2440,6 +2440,37 @@ UPDATE t1 SET id=NULL;
 DROP TRIGGER t1_bu;
 DROP TABLE t1,t2;
 
+--echo #
+--echo # Bug#50755: Crash if stored routine def contains version comments
+--echo #
+
+--disable_warnings
+DROP DATABASE IF EXISTS db1;
+DROP TRIGGER IF EXISTS trg1;
+DROP TABLE IF EXISTS t1, t2;
+--enable_warnings
+
+CREATE DATABASE db1;
+USE db1;
+
+CREATE TABLE t1 (b INT);
+CREATE TABLE t2 (a INT);
+
+CREATE TRIGGER trg1 BEFORE INSERT ON t2 FOR EACH ROW INSERT/*!INTO*/t1 VALUES (1);
+--echo # Used to crash
+SHOW TRIGGERS IN db1;
+--error ER_PARSE_ERROR
+INSERT INTO t2 VALUES (1);
+SELECT * FROM t1;
+
+--echo # Work around Bug#45235
+let $MYSQLD_DATADIR = `select @@datadir`;
+--remove_file $MYSQLD_DATADIR/db1/t2.TRG
+--remove_file $MYSQLD_DATADIR/db1/trg1.TRN
+
+DROP DATABASE db1;
+USE test;
+
 --echo End of 5.1 tests.
 
 #

=== modified file 'sql/net_serv.cc'
--- a/sql/net_serv.cc	2010-04-08 10:50:40 +0000
+++ b/sql/net_serv.cc	2010-04-30 00:14:07 +0000
@@ -132,6 +132,9 @@ my_bool my_net_init(NET *net, Vio* vio)
   net->where_b = net->remain_in_buf=0;
   net->last_errno=0;
   net->unused= 0;
+#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
+  net->skip_big_packet= FALSE;
+#endif
 
   if (vio != 0)					/* If real connection */
   {
@@ -966,6 +969,7 @@ my_real_read(NET *net, size_t *complen)
 	  {
 #if defined(MYSQL_SERVER) && !defined(NO_ALARM)
 	    if (!net->compress &&
+                net->skip_big_packet &&
 		!my_net_skip_rest(net, (uint32) len, &alarmed, &alarm_buff))
 	      net->error= 3;		/* Successfully skiped packet */
 #endif

=== modified file 'sql/sp_head.cc'
--- a/sql/sp_head.cc	2010-04-28 08:04:39 +0000
+++ b/sql/sp_head.cc	2010-04-30 00:14:07 +0000
@@ -743,21 +743,12 @@ create_typelib(MEM_ROOT *mem_root, Creat
 
 sp_head::~sp_head()
 {
+  LEX *lex;
+  sp_instr *i;
   DBUG_ENTER("sp_head::~sp_head");
-  destroy();
-  delete m_next_cached_sp;
-  if (m_thd)
-    restore_thd_mem_root(m_thd);
-  DBUG_VOID_RETURN;
-}
 
-void
-sp_head::destroy()
-{
-  sp_instr *i;
-  LEX *lex;
-  DBUG_ENTER("sp_head::destroy");
-  DBUG_PRINT("info", ("name: %s", m_name.str));
+  /* sp_head::restore_thd_mem_root() must already have been called. */
+  DBUG_ASSERT(m_thd == NULL);
 
   for (uint ip = 0 ; (i = get_instr(ip)) ; ip++)
     delete i;
@@ -768,21 +759,22 @@ sp_head::destroy()
   /*
     If we have non-empty LEX stack then we just came out of parser with
     error. Now we should delete all auxilary LEXes and restore original
-    THD::lex (In this case sp_head::restore_thd_mem_root() was not called
-    too, so m_thd points to the current thread context).
-    It is safe to not update LEX::ptr because further query string parsing
-    and execution will be stopped anyway.
+    THD::lex. It is safe to not update LEX::ptr because further query
+    string parsing and execution will be stopped anyway.
   */
-  DBUG_ASSERT(m_lex.is_empty() || m_thd);
   while ((lex= (LEX *)m_lex.pop()))
   {
-    lex_end(m_thd->lex);
-    delete m_thd->lex;
-    m_thd->lex= lex;
+    THD *thd= lex->thd;
+    lex_end(thd->lex);
+    delete thd->lex;
+    thd->lex= lex;
   }
 
   my_hash_free(&m_sptabs);
   my_hash_free(&m_sroutines);
+
+  delete m_next_cached_sp;
+
   DBUG_VOID_RETURN;
 }
 

=== modified file 'sql/sp_head.h'
--- a/sql/sp_head.h	2010-04-10 09:11:47 +0000
+++ b/sql/sp_head.h	2010-04-30 00:14:07 +0000
@@ -305,10 +305,6 @@ public:
 
   virtual ~sp_head();
 
-  /// Free memory
-  void
-  destroy();
-
   bool
   execute_trigger(THD *thd,
                   const LEX_STRING *db_name,

=== modified file 'sql/sql_connect.cc'
--- a/sql/sql_connect.cc	2010-04-13 15:31:32 +0000
+++ b/sql/sql_connect.cc	2010-04-30 00:14:07 +0000
@@ -496,6 +496,13 @@ check_user(THD *thd, enum enum_server_co
       }
       my_ok(thd);
       thd->password= test(passwd_len);          // remember for error messages 
+      /*
+        Allow the network layer to skip big packets. Although a malicious
+        authenticated session might use this to trick the server to read
+        big packets indefinitely, this is a previously established behavior
+        that needs to be preserved as to not break backwards compatibility.
+      */
+      thd->net.skip_big_packet= TRUE;
       /* Ready to handle queries */
       DBUG_RETURN(0);
     }

=== modified file 'sql/sql_lex.cc'
--- a/sql/sql_lex.cc	2010-04-19 15:35:00 +0000
+++ b/sql/sql_lex.cc	2010-04-30 00:14:07 +0000
@@ -2219,6 +2219,7 @@ void LEX::cleanup_lex_after_parse_error(
   */
   if (thd->lex->sphead)
   {
+    thd->lex->sphead->restore_thd_mem_root(thd);
     delete thd->lex->sphead;
     thd->lex->sphead= NULL;
   }


Attachment: [text/bzr-bundle] bzr/davi.arnaut@sun.com-20100430001407-sgm29ldn9rcrylls.bundle
Thread
bzr push into mysql-pe branch (davi:4048 to 4049)Davi Arnaut30 Apr