MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:ahristov Date:September 28 2006 7:11am
Subject:bk commit into 5.1 tree (andrey:1.2329)
View as plain text  
Below is the list of changes that have just been committed into a local
5.1 repository of andrey. When andrey does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2006-09-28 09:11:22+02:00, andrey@stripped +3 -0
  Merge ahristov@stripped:/home/bk/mysql-5.1-runtime
  into  example.com:/work/mysql-5.1-runtime-fresh2
  MERGE: 1.2300.37.9

  mysql-test/r/sp.result@stripped, 2006-09-28 09:11:11+02:00, andrey@stripped +0 -0
    Auto merged
    MERGE: 1.223.1.3

  mysql-test/t/sp.test@stripped, 2006-09-28 09:11:11+02:00, andrey@stripped +0 -0
    Auto merged
    MERGE: 1.203.1.2

  sql/sp.cc@stripped, 2006-09-28 09:11:11+02:00, andrey@stripped +0 -0
    Auto merged
    MERGE: 1.120.1.2

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	andrey
# Host:	example.com
# Root:	/work/mysql-5.1-runtime-fresh2/RESYNC

--- 1.226/mysql-test/r/sp.result	2006-09-28 09:11:32 +02:00
+++ 1.227/mysql-test/r/sp.result	2006-09-28 09:11:32 +02:00
@@ -5451,4 +5451,11 @@ CHF
 DROP FUNCTION bug21493|
 DROP TABLE t3,t4|
 End of 5.0 tests
+set names utf8|
+drop database if exists това_е_дълго_име_за_база_данни_нали|
+create database това_е_дълго_име_за_база_данни_нали|
+INSERT INTO mysql.proc VALUES ('това_е_дълго_име_за_база_данни_нали','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','PROCEDURE','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','SQL','CONTAINS_SQL','NO','DEFINER','','','bad_body','root@localhost',now(), now(),'','')|
+call това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго()|
+ERROR HY000: Failed to load routine това_е_дълго_име_за_база_данни_нали.. The table mysql.proc is missing, corrupt, or contains bad data (internal code -6)
+drop database това_е_дълго_име_за_база_данни_нали|
 drop table t1,t2;

--- 1.205/mysql-test/t/sp.test	2006-09-28 09:11:32 +02:00
+++ 1.206/mysql-test/t/sp.test	2006-09-28 09:11:32 +02:00
@@ -6381,6 +6381,19 @@ DROP TABLE t3,t4|
 
 
 #
+# BUG#21311: Possible stack overrun if SP has non-latin1 name
+#
+set names utf8|
+--disable_warnings
+drop database if exists това_е_дълго_име_за_база_данни_нали|
+--enable_warnings
+create database това_е_дълго_име_за_база_данни_нали|
+INSERT INTO mysql.proc VALUES ('това_е_дълго_име_за_база_данни_нали','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','PROCEDURE','това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго','SQL','CONTAINS_SQL','NO','DEFINER','','','bad_body','root@localhost',now(), now(),'','')|
+--error ER_SP_PROC_TABLE_CORRUPT
+call това_е_дълго_име_за_база_данни_нали.това_е_процедура_с_доста_дълго_име_нали_и_още_по_дълго()|
+drop database това_е_дълго_име_за_база_данни_нали|
+
+#
 # BUG#NNNN: New bug synopsis
 #
 #--disable_warnings

--- 1.122/sql/sp.cc	2006-09-28 09:11:32 +02:00
+++ 1.123/sql/sp.cc	2006-09-28 09:11:32 +02:00
@@ -1606,7 +1606,17 @@ sp_cache_routines_and_add_tables_aux(THD
          */
         if (!thd->net.report_error)
         {
-          char n[NAME_LEN*2+2];
+          /*
+            SP allows full NAME_LEN chars thus he have to allocate enough
+            size in bytes. Otherwise there is stack overrun could happen
+            if multibyte sequence is `name`. `db` is still safe because the
+            rest of the server checks agains NAME_LEN bytes and not chars.
+            Hence, the overrun happens only if the name is in length > 32 and
+            uses multibyte (cyrillic, greek, etc.)
+
+            !! Change 3 with SYSTEM_CHARSET_MBMAXLEN when it's defined.
+          */
+          char n[NAME_LEN*3*2+2];
 
           /* m_qname.str is not always \0 terminated */
           memcpy(n, name.m_qname.str, name.m_qname.length);
Thread
bk commit into 5.1 tree (andrey:1.2329)ahristov28 Sep