MySQL Lists are EOL. Please join:

List:Commits« Previous MessageNext Message »
From:kgeorge Date:March 26 2007 9:32am
Subject:bk commit into 5.1 tree (gkodinov:1.2506) BUG#26303
View as plain text  
Below is the list of changes that have just been committed into a local
5.1 repository of kgeorge. When kgeorge does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-03-26 12:32:51+03:00, gkodinov@stripped +4 -0
  Bug #26303: Reserve is not called before qs_append(). 
  This may lead to buffer overflow.
  The String::qs_append() function will append a string
  without checking if there's enough space.
  So qs_append() must be called beforehand to ensure 
  there's enough space in the buffer for the subsequent 
  qs_append() calls.
  Fixed Item_case_expr::print() to make sure there's
  enough space before appending data by adding a call to 
  String::reserve() to make sure qs_append() will have 
  enough space.

  mysql-test/r/sp-code.result@stripped, 2007-03-26 12:32:50+03:00, gkodinov@stripped +17 -0
    Bug #26303: test case

  mysql-test/t/sp-code.test@stripped, 2007-03-26 12:32:50+03:00, gkodinov@stripped +18 -0
    Bug #26303: test case

  sql/item.cc@stripped, 2007-03-26 12:32:50+03:00, gkodinov@stripped +3 -1
    Bug #26303: added a call to String::reserve() to
     make sure qs_append will have enough space

  sql/item.h@stripped, 2007-03-26 12:32:50+03:00, gkodinov@stripped +2 -2
    Bug #26303: m_case_expr_id made unsigned 
    because it's offset in an array.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	gkodinov
# Host:	magare.gmz
# Root:	/home/kgeorge/mysql/work/B26303-5.1-opt

--- 1.255/sql/item.cc	2007-03-14 16:42:50 +02:00
+++ 1.256/sql/item.cc	2007-03-26 12:32:50 +03:00
@@ -1088,7 +1088,7 @@ bool Item_splocal::set_value(THD *thd, s
   Item_case_expr methods
 *****************************************************************************/
 
-Item_case_expr::Item_case_expr(int case_expr_id)
+Item_case_expr::Item_case_expr(uint case_expr_id)
   :Item_sp_variable( C_STRING_WITH_LEN("case_expr")),
    m_case_expr_id(case_expr_id)
 {
@@ -1125,6 +1125,8 @@ Item_case_expr::this_item_addr(THD *thd,
 
 void Item_case_expr::print(String *str)
 {
+  if (str->reserve(MAX_INT_WIDTH + sizeof("case_expr@")))
+    return;                                    /* purecov: inspected */
   VOID(str->append(STRING_WITH_LEN("case_expr@")));
   str->qs_append(m_case_expr_id);
 }

--- 1.230/sql/item.h	2007-03-14 16:42:50 +02:00
+++ 1.231/sql/item.h	2007-03-26 12:32:50 +03:00
@@ -1116,7 +1116,7 @@ inline Item_result Item_splocal::result_
 class Item_case_expr :public Item_sp_variable
 {
 public:
-  Item_case_expr(int case_expr_id);
+  Item_case_expr(uint case_expr_id);
 
 public:
   Item *this_item();
@@ -1135,7 +1135,7 @@ public:
   void print(String *str);
 
 private:
-  int m_case_expr_id;
+  uint m_case_expr_id;
 };
 
 /*****************************************************************************

--- 1.13/mysql-test/r/sp-code.result	2007-01-24 18:12:28 +02:00
+++ 1.14/mysql-test/r/sp-code.result	2007-03-26 12:32:50 +03:00
@@ -621,3 +621,20 @@ Pos	Instruction
 0	stmt 2 "CREATE INDEX idx ON t1 (c1)"
 DROP PROCEDURE p1;
 End of 5.0 tests.
+CREATE PROCEDURE p1() 
+BEGIN 
+DECLARE dummy int default 0;
+CASE 12 
+WHEN 12 
+THEN SET dummy = 0;
+END CASE;
+END//
+SHOW PROCEDURE CODE p1;
+Pos	Instruction
+0	set dummy@0 0
+1	set_case_expr (6) 0 12
+2	jump_if_not 5(6) (case_expr@0 = 12)
+3	set dummy@0 0
+4	jump 6
+5	error 1339
+DROP PROCEDURE p1;

--- 1.6/mysql-test/t/sp-code.test	2006-11-17 21:14:27 +02:00
+++ 1.7/mysql-test/t/sp-code.test	2007-03-26 12:32:50 +03:00
@@ -447,3 +447,21 @@ DROP PROCEDURE p1;
 
 
 --echo End of 5.0 tests.
+
+#
+# Bug #26303: reserve() not called before qs_append() may lead to buffer
+# overflow
+#
+DELIMITER //;
+CREATE PROCEDURE p1() 
+BEGIN 
+  DECLARE dummy int default 0;
+
+  CASE 12 
+    WHEN 12 
+    THEN SET dummy = 0;
+  END CASE;
+END//
+DELIMITER ;//
+SHOW PROCEDURE CODE p1;
+DROP PROCEDURE p1;
Thread
bk commit into 5.1 tree (gkodinov:1.2506) BUG#26303kgeorge26 Mar