From a30e9dda786e4583b567348d52405f283d201167 Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Wed, 24 Nov 2010 23:03:16 +0300 Subject: [PATCH 01/13] backport of bug #54461 from 5.1-security to 5.0-security > revision-id: gshchepa@mysql.com-20100801181236-uyuq6ewaq43rw780 > parent: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l > committer: Gleb Shchepa > branch nick: mysql-5.1-security > timestamp: Sun 2010-08-01 22:12:36 +0400 > Bug #54461: crash with longblob and union or update with subquery > > Queries may crash, if > 1) the GREATEST or the LEAST function has a mixed list of > numeric and LONGBLOB arguments and > 2) the result of such a function goes through an intermediate > temporary table. > > An Item that references a LONGBLOB field has max_length of > UINT_MAX32 == (2^32 - 1). > > The current implementation of GREATEST/LEAST returns REAL > result for a mixed list of numeric and string arguments (that > contradicts with the current documentation, this contradiction > was discussed and it was decided to update the documentation). > > The max_length of such a function call was calculated as a > maximum of argument max_length values (i.e. UINT_MAX32). > > That max_length value of UINT_MAX32 was used as a length for > the intermediate temporary table Field_double to hold > GREATEST/LEAST function result. > > The Field_double::val_str() method call on that field > allocates a String value. > > Since an allocation of String reserves an additional byte > for a zero-termination, the size of String buffer was > set to (UINT_MAX32 + 1), that caused an integer overflow: > actually, an empty buffer of size 0 was allocated. > > An initialization of the "first" byte of that zero-size > buffer with '\0' caused a crash. > > The Item_func_min_max::fix_length_and_dec() has been > modified to calculate max_length for the REAL result like > we do it for arithmetical operators. mysql-test/r/func_misc.result: Test case for bug #54461. mysql-test/t/func_misc.test: Test case for bug #54461. sql/item_func.cc: Bug #54461: crash with longblob and union or update with subquery The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators. --- mysql-test/r/func_misc.result | 15 +++++++++++++++ mysql-test/t/func_misc.test | 13 ++++++++++++- sql/item_func.cc | 2 ++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/func_misc.result b/mysql-test/r/func_misc.result index 9f2fcb06638..f23718466d3 100644 --- a/mysql-test/r/func_misc.result +++ b/mysql-test/r/func_misc.result @@ -327,4 +327,19 @@ DROP TABLE t1; select NAME_CONST('_id',1234) as id; id 1234 +# +# Bug #54461: crash with longblob and union or update with subquery +# +CREATE TABLE t1 (a INT, b LONGBLOB); +INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2'); +SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +LEAST(a, (SELECT b FROM t1 LIMIT 1)) +1 +2 +SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +GREATEST(a, (SELECT b FROM t1 LIMIT 1)) +2 +3 +1 +DROP TABLE t1; End of 5.0 tests diff --git a/mysql-test/t/func_misc.test b/mysql-test/t/func_misc.test index 01c508c9b58..89359fab0ca 100644 --- a/mysql-test/t/func_misc.test +++ b/mysql-test/t/func_misc.test @@ -450,5 +450,16 @@ DROP TABLE t1; # select NAME_CONST('_id',1234) as id; ---echo End of 5.0 tests +--echo # +--echo # Bug #54461: crash with longblob and union or update with subquery +--echo # +CREATE TABLE t1 (a INT, b LONGBLOB); +INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2'); + +SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; +SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1; + +DROP TABLE t1; + +--echo End of 5.0 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index cb0d6bdbe5f..8af7db7fa1a 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -2250,6 +2250,8 @@ void Item_func_min_max::fix_length_and_dec() else if ((cmp_type == DECIMAL_RESULT) || (cmp_type == INT_RESULT)) max_length= my_decimal_precision_to_length(max_int_part+decimals, decimals, unsigned_flag); + else if (cmp_type == REAL_RESULT) + max_length= float_length(decimals); cached_field_type= agg_field_type(args, arg_count); } From 721983c393c07618541b5ebfb9c780ed3cf7a687 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 26 Nov 2010 07:28:22 +0100 Subject: [PATCH 02/13] Raise version number after cloning 5.1.54 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index 6c9c64d9c86..7a35e8587d4 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.54], [], [mysql]) +AC_INIT([MySQL Server], [5.1.55], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM From a699e4fce85a055e3ee55db12e9891e3b26ef720 Mon Sep 17 00:00:00 2001 From: Sunny Bains Date: Tue, 30 Nov 2010 20:11:26 +1100 Subject: [PATCH 03/13] Fix Bug# 56228 - Dropping tables from within an active statement crashes server InnoDB AUTOINC code expects the locks to be released in strict reverse order at the end of the statement. However, nested stored proedures and partition tables break this rule. We now allow the locks to be deleted from the trx->autoinc_locks vector in any order but optimise for the common (old) case. rb://441 Approved by Marko Makela --- .../r/innodb-autoinc-56228.result | 30 +++++++ .../t/innodb-autoinc-56228-master.opt | 1 + .../innodb_plugin/t/innodb-autoinc-56228.test | 42 ++++++++++ storage/innodb_plugin/include/ut0vec.h | 19 +++++ storage/innodb_plugin/include/ut0vec.ic | 29 +++++++ storage/innodb_plugin/lock/lock0lock.c | 78 ++++++++++++++++++- 6 files changed, 196 insertions(+), 3 deletions(-) create mode 100644 mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result create mode 100644 mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt create mode 100644 mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test diff --git a/mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result b/mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result new file mode 100644 index 00000000000..2ff2bd2800a --- /dev/null +++ b/mysql-test/suite/innodb_plugin/r/innodb-autoinc-56228.result @@ -0,0 +1,30 @@ +DROP TABLE IF EXISTS t1_56228; +Warnings: +Note 1051 Unknown table 't1_56228' +DROP TABLE IF EXISTS t2_56228; +Warnings: +Note 1051 Unknown table 't2_56228' +DROP FUNCTION IF EXISTS bug56228; +Warnings: +Note 1305 FUNCTION bug56228 does not exist +CREATE TEMPORARY TABLE t1_56228( +c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +CREATE TEMPORARY TABLE t2_56228( +c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +CREATE FUNCTION bug56228() RETURNS INT DETERMINISTIC +BEGIN +INSERT INTO t1_56228 VALUES(NULL); +INSERT INTO t2_56228 VALUES(NULL); +INSERT INTO t1_56228 VALUES(NULL); +INSERT INTO t2_56228 VALUES(NULL); +DROP TEMPORARY TABLE t1_56228; +RETURN 42; +END // +SELECT bug56228(); +bug56228() +42 +DROP FUNCTION bug56228; +DROP TEMPORARY TABLE t2_56228; +DROP TEMPORARY TABLE IF EXISTS t1_56228; +Warnings: +Note 1051 Unknown table 't1_56228' diff --git a/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt new file mode 100644 index 00000000000..0eed7aaadad --- /dev/null +++ b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228-master.opt @@ -0,0 +1 @@ +--innodb_autoinc_lock_mode=0 diff --git a/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test new file mode 100644 index 00000000000..eb38b21861d --- /dev/null +++ b/mysql-test/suite/innodb_plugin/t/innodb-autoinc-56228.test @@ -0,0 +1,42 @@ +-- source include/have_innodb_plugin.inc + +let $innodb_file_format_check_orig=`select @@innodb_file_format_check`; + +## +# Bug #56228: dropping tables from within an active statement crashes server +# +DROP TABLE IF EXISTS t1_56228; +DROP TABLE IF EXISTS t2_56228; +DROP FUNCTION IF EXISTS bug56228; + +CREATE TEMPORARY TABLE t1_56228( + c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; +CREATE TEMPORARY TABLE t2_56228( + c1 iNT AUTO_INCREMENT PRIMARY KEY) ENGINE=InnoDB; + +DELIMITER //; + +CREATE FUNCTION bug56228() RETURNS INT DETERMINISTIC +BEGIN + INSERT INTO t1_56228 VALUES(NULL); + INSERT INTO t2_56228 VALUES(NULL); + INSERT INTO t1_56228 VALUES(NULL); + INSERT INTO t2_56228 VALUES(NULL); + DROP TEMPORARY TABLE t1_56228; + RETURN 42; +END // + +DELIMITER ;// + +SELECT bug56228(); + +DROP FUNCTION bug56228; +DROP TEMPORARY TABLE t2_56228; +DROP TEMPORARY TABLE IF EXISTS t1_56228; + +# +# restore environment to the state it was before this test execution +# + +-- disable_query_log +eval set global innodb_file_format_check=$innodb_file_format_check_orig; diff --git a/storage/innodb_plugin/include/ut0vec.h b/storage/innodb_plugin/include/ut0vec.h index a770f671cfc..0f8b955b098 100644 --- a/storage/innodb_plugin/include/ut0vec.h +++ b/storage/innodb_plugin/include/ut0vec.h @@ -93,6 +93,25 @@ ib_vector_get( ib_vector_t* vec, /*!< in: vector */ ulint n); /*!< in: element index to get */ +/****************************************************************//** +Get last element. The vector must not be empty. +@return last element */ +UNIV_INLINE +void* +ib_vector_get_last( +/*===============*/ + ib_vector_t* vec); /*!< in: vector */ + +/****************************************************************//** +Set the n'th element. */ +UNIV_INLINE +void +ib_vector_set( +/*==========*/ + ib_vector_t* vec, /*!< in/out: vector */ + ulint n, /*!< in: element index to set */ + void* elem); /*!< in: data element */ + /****************************************************************//** Remove the last element from the vector. */ UNIV_INLINE diff --git a/storage/innodb_plugin/include/ut0vec.ic b/storage/innodb_plugin/include/ut0vec.ic index 02e881f9bca..34c858868ce 100644 --- a/storage/innodb_plugin/include/ut0vec.ic +++ b/storage/innodb_plugin/include/ut0vec.ic @@ -50,6 +50,35 @@ ib_vector_get( return(vec->data[n]); } +/****************************************************************//** +Get last element. The vector must not be empty. +@return last element */ +UNIV_INLINE +void* +ib_vector_get_last( +/*===============*/ + ib_vector_t* vec) /*!< in: vector */ +{ + ut_a(vec->used > 0); + + return(vec->data[vec->used - 1]); +} + +/****************************************************************//** +Set the n'th element. */ +UNIV_INLINE +void +ib_vector_set( +/*==========*/ + ib_vector_t* vec, /*!< in/out: vector */ + ulint n, /*!< in: element index to set */ + void* elem) /*!< in: data element */ +{ + ut_a(n < vec->used); + + vec->data[n] = elem; +} + /****************************************************************//** Remove the last element from the vector. @return last vector element */ diff --git a/storage/innodb_plugin/lock/lock0lock.c b/storage/innodb_plugin/lock/lock0lock.c index 77d69d11a2d..c8bbc5c02bd 100644 --- a/storage/innodb_plugin/lock/lock0lock.c +++ b/storage/innodb_plugin/lock/lock0lock.c @@ -3624,6 +3624,80 @@ lock_table_create( return(lock); } +/*************************************************************//** +Pops autoinc lock requests from the transaction's autoinc_locks. We +handle the case where there are gaps in the array and they need to +be popped off the stack. */ +UNIV_INLINE +void +lock_table_pop_autoinc_locks( +/*=========================*/ + trx_t* trx) /*!< in/out: transaction that owns the AUTOINC locks */ +{ + ut_ad(mutex_own(&kernel_mutex)); + ut_ad(!ib_vector_is_empty(trx->autoinc_locks)); + + /* Skip any gaps, gaps are NULL lock entries in the + trx->autoinc_locks vector. */ + + do { + ib_vector_pop(trx->autoinc_locks); + + if (ib_vector_is_empty(trx->autoinc_locks)) { + return; + } + + } while (ib_vector_get_last(trx->autoinc_locks) == NULL); +} + +/*************************************************************//** +Removes an autoinc lock request from the transaction's autoinc_locks. */ +UNIV_INLINE +void +lock_table_remove_autoinc_lock( +/*===========================*/ + lock_t* lock, /*!< in: table lock */ + trx_t* trx) /*!< in/out: transaction that owns the lock */ +{ + lock_t* autoinc_lock; + lint i = ib_vector_size(trx->autoinc_locks) - 1; + + ut_ad(mutex_own(&kernel_mutex)); + ut_ad(lock_get_mode(lock) == LOCK_AUTO_INC); + ut_ad(lock_get_type_low(lock) & LOCK_TABLE); + ut_ad(!ib_vector_is_empty(trx->autoinc_locks)); + + /* With stored functions and procedures the user may drop + a table within the same "statement". This special case has + to be handled by deleting only those AUTOINC locks that were + held by the table being dropped. */ + + autoinc_lock = ib_vector_get(trx->autoinc_locks, i); + + /* This is the default fast case. */ + + if (autoinc_lock == lock) { + lock_table_pop_autoinc_locks(trx); + } else { + /* The last element should never be NULL */ + ut_a(autoinc_lock != NULL); + + /* Handle freeing the locks from within the stack. */ + + while (--i >= 0) { + autoinc_lock = ib_vector_get(trx->autoinc_locks, i); + + if (UNIV_LIKELY(autoinc_lock == lock)) { + ib_vector_set(trx->autoinc_locks, i, NULL); + return; + } + } + + /* Must find the autoinc lock. */ + ut_error; + } +} + /*************************************************************//** Removes a table lock request from the queue and the trx list of locks; this is a low-level function which does NOT check if waiting requests @@ -3663,10 +3737,8 @@ lock_table_remove_low( if (!lock_get_wait(lock) && !ib_vector_is_empty(trx->autoinc_locks)) { - lock_t* autoinc_lock; - autoinc_lock = ib_vector_pop(trx->autoinc_locks); - ut_a(autoinc_lock == lock); + lock_table_remove_autoinc_lock(lock, trx); } ut_a(table->n_waiting_or_granted_auto_inc_locks > 0); From a4b106c882d56516b0f9c01b54432608a30577c8 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Fri, 3 Dec 2010 16:56:36 +0200 Subject: [PATCH 04/13] Backport of bug #55564 to 5.0-security --- mysql-test/r/user_var.result | 17 +++++++++++++++++ mysql-test/t/user_var.test | 20 ++++++++++++++++++++ sql/item_func.cc | 8 ++++++++ sql/item_func.h | 1 + 4 files changed, 46 insertions(+) diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index 8236dbe94ac..81b42676f6e 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -378,4 +378,21 @@ FROM t1,t2 WHERE t1.f1 = t2.f1 ORDER BY t2.f1; MIN(t2.f1) @bar:= (SELECT MIN(t3.f2) FROM t3 WHERE t3.f2 > foo) 10 NULL DROP TABLE t1, t2, t3; +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +# BUG#55615 : should not crash +SELECT (@a:=((SELECT @a:=1 FROM t1 LIMIT 1))) AND COUNT(1) FROM t1 GROUP BY @a; +(@a:=((SELECT @a:=1 FROM t1 LIMIT 1))) AND COUNT(1) +1 +1 +# BUG#55564 : should not crash +SELECT IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +FROM t1 GROUP BY a LIMIT 1; +IF( +@v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), +count(*), 1) +1 +DROP TABLE t1; End of 5.0 tests diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test index 59a5238b35b..b4eb7910788 100644 --- a/mysql-test/t/user_var.test +++ b/mysql-test/t/user_var.test @@ -268,4 +268,24 @@ FROM t1,t2 WHERE t1.f1 = t2.f1 ORDER BY t2.f1; DROP TABLE t1, t2, t3; + +# +# Bug #55615: debug assertion after using variable in assignment and +# referred to +# Bug #55564: crash with user variables, assignments, joins... +# + +CREATE TABLE t1(a INT); +INSERT INTO t1 VALUES (0),(0); +--echo # BUG#55615 : should not crash +SELECT (@a:=((SELECT @a:=1 FROM t1 LIMIT 1))) AND COUNT(1) FROM t1 GROUP BY @a; +--echo # BUG#55564 : should not crash +SELECT IF( + @v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a), + count(*), 1) +FROM t1 GROUP BY a LIMIT 1; + +DROP TABLE t1; + + --echo End of 5.0 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index 8af7db7fa1a..6cd8f34ecef 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -4303,6 +4303,14 @@ longlong Item_func_set_user_var::val_int_result() return entry->val_int(&null_value); } +bool Item_func_set_user_var::val_bool_result() +{ + DBUG_ASSERT(fixed == 1); + check(TRUE); + update(); // Store expression + return entry->val_int(&null_value) != 0; +} + String *Item_func_set_user_var::str_result(String *str) { DBUG_ASSERT(fixed == 1); diff --git a/sql/item_func.h b/sql/item_func.h index 47a13559e90..ccab6c855c6 100644 --- a/sql/item_func.h +++ b/sql/item_func.h @@ -1300,6 +1300,7 @@ public: my_decimal *val_decimal(my_decimal *); double val_result(); longlong val_int_result(); + bool val_bool_result(); String *str_result(String *str); my_decimal *val_decimal_result(my_decimal *); bool is_null_result(); From e5a88caf08749b6ac1de4d5420f04b6125898e08 Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Mon, 6 Dec 2010 23:38:31 +0300 Subject: [PATCH 05/13] Bug #57187: more user variable fun with multiple assignments and comparison in query A query that compares assignments of the same user variable caused Valgrind warnings: access to freed memory region. In case of a DECIMAL argument the assignment operator (:=) may return a pointer to a stored value instead of its copy when evaluated. The next assignment to the same variable may: a) overwrite the stored value with a new one and return the same pointer or even b) reallocate stored value. Thus, if we evaluate an assignment and keep the result pointer and then evaluate another assignment to the same variable, then the kept result pointer of the first assignment will point to unexpectedly changed data or it may be a dead pointer. That may cause wrong data or crash. The user_var_entry::val_decimal method has been modified to copy user variable data. mysql-test/r/user_var.result: Test case for bug #57187. mysql-test/t/user_var.test: Test case for bug #57187. sql/item_func.cc: Bug #57187: more user variable fun with multiple assignments and comparison in query The user_var_entry::val_decimal method has been modified to copy user variable data. --- mysql-test/r/user_var.result | 6 ++++++ mysql-test/t/user_var.test | 12 ++++++++++++ sql/item_func.cc | 2 +- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index cf82a18ea83..374520ff610 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -450,4 +450,10 @@ DROP TABLE t1; select @v:=@v:=sum(1) from dual; @v:=@v:=sum(1) 1 +CREATE TABLE t1(a DECIMAL(31,21)); +INSERT INTO t1 VALUES (0); +SELECT (@v:=a) <> (@v:=1) FROM t1; +(@v:=a) <> (@v:=1) +1 +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test index 56217fe67d5..efaf8afd91e 100644 --- a/mysql-test/t/user_var.test +++ b/mysql-test/t/user_var.test @@ -353,4 +353,16 @@ DROP TABLE t1; select @v:=@v:=sum(1) from dual; +# +# Bug #57187: more user variable fun with multiple assignments and +# comparison in query +# + +CREATE TABLE t1(a DECIMAL(31,21)); +INSERT INTO t1 VALUES (0); + +SELECT (@v:=a) <> (@v:=1) FROM t1; + +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index 8bb1009ac2c..5a8f65a795a 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -4064,7 +4064,7 @@ my_decimal *user_var_entry::val_decimal(my_bool *null_value, my_decimal *val) int2my_decimal(E_DEC_FATAL_ERROR, *(longlong*) value, 0, val); break; case DECIMAL_RESULT: - val= (my_decimal *)value; + my_decimal2decimal((my_decimal *) value, val); break; case STRING_RESULT: str2my_decimal(E_DEC_FATAL_ERROR, value, length, collation.collation, val); From 3190d454236c73184b41dcbd7a296069ac2d115b Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Wed, 8 Dec 2010 16:05:26 +0200 Subject: [PATCH 06/13] Backport of the 5.1 fix for bug #55826 to 5.0 --- mysql-test/r/innodb_mysql.result | 12 ++++++++++++ mysql-test/t/innodb_mysql.test | 15 +++++++++++++++ sql/item_func.cc | 16 +++++++++++++++- 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/innodb_mysql.result b/mysql-test/r/innodb_mysql.result index a51dc978f3e..42eefe4d946 100644 --- a/mysql-test/r/innodb_mysql.result +++ b/mysql-test/r/innodb_mysql.result @@ -1315,4 +1315,16 @@ id select_type table type possible_keys key key_len ref rows Extra 2 DEPENDENT SUBQUERY t1 system NULL NULL NULL NULL 0 const row not found 2 DEPENDENT SUBQUERY t2 ALL NULL NULL NULL NULL 1 DROP TABLE t1,t2; +# +# Bug#55826: create table .. select crashes with when KILL_BAD_DATA +# is returned +# +CREATE TABLE t1(a INT) ENGINE=innodb; +INSERT INTO t1 VALUES (0); +SET SQL_MODE='STRICT_ALL_TABLES'; +CREATE TABLE t2 +SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`; +ERROR 22007: Truncated incorrect datetime value: '' +DROP TABLE t1; +SET SQL_MODE=DEFAULT; End of 5.0 tests diff --git a/mysql-test/t/innodb_mysql.test b/mysql-test/t/innodb_mysql.test index 3c81a27e9ac..9a17cc5e8d1 100644 --- a/mysql-test/t/innodb_mysql.test +++ b/mysql-test/t/innodb_mysql.test @@ -1073,4 +1073,19 @@ explain select b from t1 where a not in (select b from t1,t2 group by a) group by a; DROP TABLE t1,t2; +--echo # +--echo # Bug#55826: create table .. select crashes with when KILL_BAD_DATA +--echo # is returned +--echo # + +CREATE TABLE t1(a INT) ENGINE=innodb; +INSERT INTO t1 VALUES (0); +SET SQL_MODE='STRICT_ALL_TABLES'; +--error ER_TRUNCATED_WRONG_VALUE +CREATE TABLE t2 + SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`; +DROP TABLE t1; +SET SQL_MODE=DEFAULT; + + --echo End of 5.0 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index 6cd8f34ecef..3d105a159e0 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -2270,7 +2270,7 @@ void Item_func_min_max::fix_length_and_dec() stored to the value pointer, if latter is provided. RETURN - 0 If one of arguments is NULL + 0 If one of arguments is NULL or there was a execution error # index of the least/greatest argument */ @@ -2284,6 +2284,14 @@ uint Item_func_min_max::cmp_datetimes(ulonglong *value) Item **arg= args + i; bool is_null; longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null); + + /* Check if we need to stop (because of error or KILL) and stop the loop */ + if (thd->net.report_error) + { + null_value= 1; + return 0; + } + if ((null_value= args[i]->null_value)) return 0; if (i == 0 || (res < min_max ? cmp_sign : -cmp_sign) > 0) @@ -2312,6 +2320,12 @@ String *Item_func_min_max::val_str(String *str) if (null_value) return 0; str_res= args[min_max_idx]->val_str(str); + if (args[min_max_idx]->null_value) + { + // check if the call to val_str() above returns a NULL value + null_value= 1; + return NULL; + } str_res->set_charset(collation.collation); return str_res; } From 1bd81f6b817cc9b8e0b61d126b7ad159117e1b29 Mon Sep 17 00:00:00 2001 From: Alexander Nozdrin Date: Wed, 15 Dec 2010 19:00:01 +0300 Subject: [PATCH 07/13] Patch for Bug#57952 (privilege change is not taken into account by EXECUTE). The user-visible problem was that changes to column-level privileges, happened in between of PREPARE and EXECUTE of a prepared statement, were neglected. I.e. a prepared statement could be executed with the column-level privileges as of PREPARE-time. The problem existed for column-level privileges only. A similar problem existed for stored programs: the changes between executions didn't have an effect. Technically the thing is that table references are cached in Prepared_statement::prepare() call. In subsequent Prepared_statement::execute() calls those cached values are used. There are two functions to get a field by name: find_field_in_table() and find_field_in_table_ref(). On prepare-phase find_field_in_table_ref() is called, on execute-phase -- find_field_in_table() because the table is cached. find_field_in_table() does not check column-level privileges and expects the caller to do that. The problem was that this check was forgotten. The fix is to check them there as it happens in find_field_in_table_ref(). --- mysql-test/r/grant.result | 74 ++++++++++++++++++++++++++++ mysql-test/t/grant.test | 101 ++++++++++++++++++++++++++++++++++++++ sql/sql_base.cc | 12 +++++ 3 files changed, 187 insertions(+) diff --git a/mysql-test/r/grant.result b/mysql-test/r/grant.result index 7a5b0520f7c..e7ae6612746 100644 --- a/mysql-test/r/grant.result +++ b/mysql-test/r/grant.result @@ -1156,4 +1156,78 @@ CURRENT_USER() root@localhost SET PASSWORD FOR CURRENT_USER() = PASSWORD("admin"); SET PASSWORD FOR CURRENT_USER() = PASSWORD(""); + +# Bug#57952 + +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; +use mysqltest1; +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (1, 1); +CREATE TABLE t2(a INT); +INSERT INTO t2 VALUES (2); +CREATE TABLE mysqltest2.t3(a INT); +INSERT INTO mysqltest2.t3 VALUES (4); +CREATE USER testuser@localhost; +GRANT CREATE ROUTINE, EXECUTE ON mysqltest1.* TO testuser@localhost; +GRANT SELECT(b) ON t1 TO testuser@localhost; +GRANT SELECT ON t2 TO testuser@localhost; +GRANT SELECT ON mysqltest2.* TO testuser@localhost; + +# Connection: bug57952_con1 (testuser@localhost, db: mysqltest1) +PREPARE s1 FROM 'SELECT b FROM t1'; +PREPARE s2 FROM 'SELECT a FROM t2'; +PREPARE s3 FROM 'SHOW TABLES FROM mysqltest2'; +CREATE PROCEDURE p1() SELECT b FROM t1; +CREATE PROCEDURE p2() SELECT a FROM t2; +CREATE PROCEDURE p3() SHOW TABLES FROM mysqltest2; +CALL p1; +b +1 +CALL p2; +a +2 +CALL p3; +Tables_in_mysqltest2 +t3 + +# Connection: default +REVOKE SELECT ON t1 FROM testuser@localhost; +GRANT SELECT(a) ON t1 TO testuser@localhost; +REVOKE SELECT ON t2 FROM testuser@localhost; +REVOKE SELECT ON mysqltest2.* FROM testuser@localhost; + +# Connection: bug57952_con1 (testuser@localhost, db: mysqltest1) +# - Check column-level privileges... +EXECUTE s1; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't1' +SELECT b FROM t1; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't1' +EXECUTE s1; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't1' +CALL p1; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for column 'b' in table 't1' +# - Check table-level privileges... +SELECT a FROM t2; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table 't2' +EXECUTE s2; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table 't2' +CALL p2; +ERROR 42000: SELECT command denied to user 'testuser'@'localhost' for table 't2' +# - Check database-level privileges... +SHOW TABLES FROM mysqltest2; +ERROR 42000: Access denied for user 'testuser'@'localhost' to database 'mysqltest2' +EXECUTE s3; +ERROR 42000: Access denied for user 'testuser'@'localhost' to database 'mysqltest2' +CALL p3; +ERROR 42000: Access denied for user 'testuser'@'localhost' to database 'mysqltest2' + +# Connection: default +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP USER testuser@localhost; +use test; + End of 5.0 tests diff --git a/mysql-test/t/grant.test b/mysql-test/t/grant.test index 1b2b8465c83..21e3bbf5842 100644 --- a/mysql-test/t/grant.test +++ b/mysql-test/t/grant.test @@ -1166,6 +1166,107 @@ SELECT CURRENT_USER(); SET PASSWORD FOR CURRENT_USER() = PASSWORD("admin"); SET PASSWORD FOR CURRENT_USER() = PASSWORD(""); +# +# Bug#57952: privilege change is not taken into account by EXECUTE. +# + +--echo +--echo # Bug#57952 +--echo + +--disable_warnings +DROP DATABASE IF EXISTS mysqltest1; +DROP DATABASE IF EXISTS mysqltest2; +--enable_warnings + +CREATE DATABASE mysqltest1; +CREATE DATABASE mysqltest2; + +use mysqltest1; +CREATE TABLE t1(a INT, b INT); +INSERT INTO t1 VALUES (1, 1); + +CREATE TABLE t2(a INT); +INSERT INTO t2 VALUES (2); + +CREATE TABLE mysqltest2.t3(a INT); +INSERT INTO mysqltest2.t3 VALUES (4); + +CREATE USER testuser@localhost; +GRANT CREATE ROUTINE, EXECUTE ON mysqltest1.* TO testuser@localhost; +GRANT SELECT(b) ON t1 TO testuser@localhost; +GRANT SELECT ON t2 TO testuser@localhost; +GRANT SELECT ON mysqltest2.* TO testuser@localhost; + +--echo +--echo # Connection: bug57952_con1 (testuser@localhost, db: mysqltest1) +--connect (bug57952_con1,localhost,testuser,,mysqltest1) +PREPARE s1 FROM 'SELECT b FROM t1'; +PREPARE s2 FROM 'SELECT a FROM t2'; +PREPARE s3 FROM 'SHOW TABLES FROM mysqltest2'; + +CREATE PROCEDURE p1() SELECT b FROM t1; +CREATE PROCEDURE p2() SELECT a FROM t2; +CREATE PROCEDURE p3() SHOW TABLES FROM mysqltest2; + +CALL p1; +CALL p2; +CALL p3; + +--echo +--echo # Connection: default +--connection default +REVOKE SELECT ON t1 FROM testuser@localhost; +GRANT SELECT(a) ON t1 TO testuser@localhost; +REVOKE SELECT ON t2 FROM testuser@localhost; +REVOKE SELECT ON mysqltest2.* FROM testuser@localhost; + +--echo +--echo # Connection: bug57952_con1 (testuser@localhost, db: mysqltest1) +--connection bug57952_con1 +--echo # - Check column-level privileges... +--error ER_COLUMNACCESS_DENIED_ERROR +EXECUTE s1; + +--error ER_COLUMNACCESS_DENIED_ERROR +SELECT b FROM t1; + +--error ER_COLUMNACCESS_DENIED_ERROR +EXECUTE s1; + +--error ER_COLUMNACCESS_DENIED_ERROR +CALL p1; + +--echo # - Check table-level privileges... +--error ER_TABLEACCESS_DENIED_ERROR +SELECT a FROM t2; + +--error ER_TABLEACCESS_DENIED_ERROR +EXECUTE s2; + +--error ER_TABLEACCESS_DENIED_ERROR +CALL p2; + +--echo # - Check database-level privileges... +--error ER_DBACCESS_DENIED_ERROR +SHOW TABLES FROM mysqltest2; + +--error ER_DBACCESS_DENIED_ERROR +EXECUTE s3; + +--error ER_DBACCESS_DENIED_ERROR +CALL p3; + +--echo +--echo # Connection: default +--connection default +--disconnect bug57952_con1 +DROP DATABASE mysqltest1; +DROP DATABASE mysqltest2; +DROP USER testuser@localhost; +use test; +--echo + --echo End of 5.0 tests disconnect master; diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 88d1e8879d1..669229a8404 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -3657,6 +3657,8 @@ find_field_in_natural_join(THD *thd, TABLE_LIST *table_ref, const char *name, /* Find field by name in a base table or a view with temp table algorithm. + The caller is expected to check column-level privileges. + SYNOPSIS find_field_in_table() thd thread handler @@ -3753,6 +3755,8 @@ find_field_in_table(THD *thd, TABLE *table, const char *name, uint length, This procedure detects the type of the table reference 'table_list' and calls the corresponding search routine. + The routine checks column-level privieleges for the found field. + RETURN 0 field is not found view_ref_found found value in VIEW (real result is in *ref) @@ -3944,8 +3948,16 @@ find_field_in_tables(THD *thd, Item_ident *item, when table_ref->field_translation != NULL. */ if (table_ref->table && !table_ref->view) + { found= find_field_in_table(thd, table_ref->table, name, length, TRUE, &(item->cached_field_index)); +#ifndef NO_EMBEDDED_ACCESS_CHECKS + /* Check if there are sufficient access rights to the found field. */ + if (found && check_privileges && + check_column_grant_in_table_ref(thd, table_ref, name, length)) + found= WRONG_GRANT; +#endif + } else found= find_field_in_table_ref(thd, table_ref, name, length, item->name, NULL, NULL, ref, check_privileges, From ffdeb062727361fb52c1baa38a184a214ec91ea3 Mon Sep 17 00:00:00 2001 From: Martin Hansson Date: Thu, 16 Dec 2010 10:07:48 +0100 Subject: [PATCH 08/13] Bug#54568: create view cause Assertion failed: 0, file .\item_subselect.cc, line 836 IN quantified predicates are never executed directly. They are rather wrapped inside nodes called IN Optimizers (Item_in_optimizer) which take care of the execution. However, this is not done during query preparation. Unfortunately the LIKE predicate pre-evaluates constant right-hand side arguments even during name resolution. Likely this is meant as an optimization. Fixed by not pre-evaluating LIKE arguments in view prepare mode. Back-ported to 5.0s --- mysql-test/r/subselect4.result | 21 +++++++++++++++++++++ mysql-test/t/subselect4.test | 16 ++++++++++++++++ sql/item_cmpfunc.cc | 2 +- 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/subselect4.result b/mysql-test/r/subselect4.result index e863cbfb7a8..4f808a963b9 100644 --- a/mysql-test/r/subselect4.result +++ b/mysql-test/r/subselect4.result @@ -59,3 +59,24 @@ FROM t3 WHERE 1 = 0 GROUP BY 1; (SELECT 1 FROM t1,t2 WHERE t2.b > t3.b) DROP TABLE t1,t2,t3; End of 5.0 tests. +# +# Bug#54568: create view cause Assertion failed: 0, +# file .\item_subselect.cc, line 836 +# +EXPLAIN SELECT 1 LIKE ( 1 IN ( SELECT 1 ) ); +id select_type table type possible_keys key key_len ref rows Extra +1 PRIMARY NULL NULL NULL NULL NULL NULL NULL No tables used +Warnings: +Note 1249 Select 2 was reduced during optimization +DESCRIBE SELECT 1 LIKE ( 1 IN ( SELECT 1 ) ); +id select_type table type possible_keys key key_len ref rows Extra +1 PRIMARY NULL NULL NULL NULL NULL NULL NULL No tables used +Warnings: +Note 1249 Select 2 was reduced during optimization +# None of the below should crash +CREATE VIEW v1 AS SELECT 1 LIKE ( 1 IN ( SELECT 1 ) ); +CREATE VIEW v2 AS SELECT 1 LIKE '%' ESCAPE ( 1 IN ( SELECT 1 ) ); +DROP VIEW v1, v2; +# +# End of 5.1 tests. +# diff --git a/mysql-test/t/subselect4.test b/mysql-test/t/subselect4.test index 440eca22828..2c6efdbaac2 100644 --- a/mysql-test/t/subselect4.test +++ b/mysql-test/t/subselect4.test @@ -62,3 +62,19 @@ FROM t3 WHERE 1 = 0 GROUP BY 1; DROP TABLE t1,t2,t3; --echo End of 5.0 tests. + +--echo # +--echo # Bug#54568: create view cause Assertion failed: 0, +--echo # file .\item_subselect.cc, line 836 +--echo # +EXPLAIN SELECT 1 LIKE ( 1 IN ( SELECT 1 ) ); +DESCRIBE SELECT 1 LIKE ( 1 IN ( SELECT 1 ) ); +--echo # None of the below should crash +CREATE VIEW v1 AS SELECT 1 LIKE ( 1 IN ( SELECT 1 ) ); +CREATE VIEW v2 AS SELECT 1 LIKE '%' ESCAPE ( 1 IN ( SELECT 1 ) ); +DROP VIEW v1, v2; + + +--echo # +--echo # End of 5.1 tests. +--echo # diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc index 4ae381af683..b79c13f4578 100644 --- a/sql/item_cmpfunc.cc +++ b/sql/item_cmpfunc.cc @@ -4248,7 +4248,7 @@ bool Item_func_like::fix_fields(THD *thd, Item **ref) return TRUE; } - if (escape_item->const_item()) + if (escape_item->const_item() && !thd->lex->view_prepare_mode) { /* If we are on execution stage */ String *escape_str= escape_item->val_str(&tmp_value1); From 21da523f1796555fb61d5053ec8509ca3d74a2f6 Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Thu, 16 Dec 2010 11:49:40 +0100 Subject: [PATCH 09/13] Bug58747 57359 patch: breaks secure_file_priv+not secure yet+still accesses other folders "load data infile .." allowed for access to unautohorized tables. Due to a faulty if-statement it was possible to circumvent the secure_file_priv restriction. mysql-test/mysql-test-run.pl: * Add SECURE_LOAD_PATH environment variable to mtr test cases. mysql-test/suite/sys_vars/r/secure_file_priv2.result: * add test for bug58747 mysql-test/suite/sys_vars/t/secure_file_priv2-master.opt: * add test for bug58747 mysql-test/suite/sys_vars/t/secure_file_priv2.test: * add test for bug58747 sql/sql_load.cc: * Correct faulty if-statement * fix indentation * move my_stat() block to after is_secure_file_path() check. --- mysql-test/mysql-test-run.pl | 10 +++ .../suite/sys_vars/r/secure_file_priv2.result | 6 ++ .../sys_vars/t/secure_file_priv2-master.opt | 1 + .../suite/sys_vars/t/secure_file_priv2.test | 23 +++++ sql/sql_load.cc | 89 ++++++++++--------- 5 files changed, 85 insertions(+), 44 deletions(-) create mode 100644 mysql-test/suite/sys_vars/r/secure_file_priv2.result create mode 100644 mysql-test/suite/sys_vars/t/secure_file_priv2-master.opt create mode 100644 mysql-test/suite/sys_vars/t/secure_file_priv2.test diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl index 22c60cf1997..1348d0f991b 100755 --- a/mysql-test/mysql-test-run.pl +++ b/mysql-test/mysql-test-run.pl @@ -2025,6 +2025,16 @@ sub environment_setup { $ENV{'DEFAULT_MASTER_PORT'}= $mysqld_variables{'master-port'} || 3306; $ENV{'MYSQL_TMP_DIR'}= $opt_tmpdir; $ENV{'MYSQLTEST_VARDIR'}= $opt_vardir; + + if (IS_WINDOWS) + { + $ENV{'SECURE_LOAD_PATH'}= $glob_mysql_test_dir."\\std_data"; + } + else + { + $ENV{'SECURE_LOAD_PATH'}= $glob_mysql_test_dir."/std_data"; + } + # ---------------------------------------------------- # Setup env for NDB diff --git a/mysql-test/suite/sys_vars/r/secure_file_priv2.result b/mysql-test/suite/sys_vars/r/secure_file_priv2.result new file mode 100644 index 00000000000..ec91b6037d0 --- /dev/null +++ b/mysql-test/suite/sys_vars/r/secure_file_priv2.result @@ -0,0 +1,6 @@ +CREATE TABLE t1 (c1 INT); +LOAD DATA INFILE "t1.MYI" into table t1; +ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement +LOAD DATA INFILE "/test" into table t1; +ERROR HY000: The MySQL server is running with the --secure-file-priv option so it cannot execute this statement +DROP TABLE t1; diff --git a/mysql-test/suite/sys_vars/t/secure_file_priv2-master.opt b/mysql-test/suite/sys_vars/t/secure_file_priv2-master.opt new file mode 100644 index 00000000000..1d9a49c8f75 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/secure_file_priv2-master.opt @@ -0,0 +1 @@ +--secure_file_priv=$SECURE_LOAD_PATH diff --git a/mysql-test/suite/sys_vars/t/secure_file_priv2.test b/mysql-test/suite/sys_vars/t/secure_file_priv2.test new file mode 100644 index 00000000000..0ca0a1839e1 --- /dev/null +++ b/mysql-test/suite/sys_vars/t/secure_file_priv2.test @@ -0,0 +1,23 @@ +# +# Bug58747 breaks secure_file_priv+not secure yet+still accesses other folders +# +CREATE TABLE t1 (c1 INT); +# +# Before the patch this statement failed with +# Linux: +# -> errno 13: 'Can't get stat of ' +# Windows: +# -> Warning 1366 Incorrect integer value: '■■☺' for +# -> column 'c1' at row 1 +# Now it should consistently fail with ER_OPTION_PREVENTS_STATEMENT +# on all platforms. +--error ER_OPTION_PREVENTS_STATEMENT +LOAD DATA INFILE "t1.MYI" into table t1; + +# +# The following test makes the assuption that /test isn't a valid path in any +# operating system running the test suite. +--error ER_OPTION_PREVENTS_STATEMENT +LOAD DATA INFILE "/test" into table t1; + +DROP TABLE t1; diff --git a/sql/sql_load.cc b/sql/sql_load.cc index 4b68f2a3821..a0f9ebbe39b 100644 --- a/sql/sql_load.cc +++ b/sql/sql_load.cc @@ -314,56 +314,57 @@ int mysql_load(THD *thd,sql_exchange *ex,TABLE_LIST *table_list, (void) fn_format(name, ex->file_name, mysql_real_data_home, "", MY_RELATIVE_PATH | MY_UNPACK_FILENAME | MY_RETURN_REAL_PATH); -#if !defined(__WIN__) && ! defined(__NETWARE__) - MY_STAT stat_info; - if (!my_stat(name,&stat_info,MYF(MY_WME))) - DBUG_RETURN(TRUE); + } - // if we are not in slave thread, the file must be: - if (!thd->slave_thread && - !((stat_info.st_mode & S_IROTH) == S_IROTH && // readable by others - (stat_info.st_mode & S_IFLNK) != S_IFLNK && // and not a symlink - ((stat_info.st_mode & S_IFREG) == S_IFREG || - (stat_info.st_mode & S_IFIFO) == S_IFIFO))) - { - my_error(ER_TEXTFILE_NOT_READABLE, MYF(0), name); - DBUG_RETURN(TRUE); - } - if ((stat_info.st_mode & S_IFIFO) == S_IFIFO) - is_fifo = 1; -#endif - - if (thd->slave_thread) - { + if (thd->slave_thread) + { #if defined(HAVE_REPLICATION) && !defined(MYSQL_CLIENT) - if (strncmp(active_mi->rli.slave_patternload_file, name, - active_mi->rli.slave_patternload_file_size)) - { - /* - LOAD DATA INFILE in the slave SQL Thread can only read from - --slave-load-tmpdir". This should never happen. Please, report a bug. - */ - - sql_print_error("LOAD DATA INFILE in the slave SQL Thread can only read from --slave-load-tmpdir. " \ - "Please, report a bug."); - my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--slave-load-tmpdir"); - DBUG_RETURN(TRUE); - } -#else - /* - This is impossible and should never happen. - */ - DBUG_ASSERT(FALSE); -#endif - } - else if (!is_secure_file_path(name)) + if (strncmp(active_mi->rli.slave_patternload_file, name, + active_mi->rli.slave_patternload_file_size)) { - /* Read only allowed from within dir specified by secure_file_priv */ - my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--secure-file-priv"); + /* + LOAD DATA INFILE in the slave SQL Thread can only read from + --slave-load-tmpdir". This should never happen. Please, report a bug. + */ + + sql_print_error("LOAD DATA INFILE in the slave SQL Thread can only read from --slave-load-tmpdir. " \ + "Please, report a bug."); + my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--slave-load-tmpdir"); DBUG_RETURN(TRUE); } - +#else + /* + This is impossible and should never happen. + */ + DBUG_ASSERT(FALSE); +#endif } + else if (!is_secure_file_path(name)) + { + /* Read only allowed from within dir specified by secure_file_priv */ + my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), "--secure-file-priv"); + DBUG_RETURN(TRUE); + } + +#if !defined(__WIN__) && ! defined(__NETWARE__) + MY_STAT stat_info; + if (!my_stat(name,&stat_info,MYF(MY_WME))) + DBUG_RETURN(TRUE); + + // if we are not in slave thread, the file must be: + if (!thd->slave_thread && + !((stat_info.st_mode & S_IROTH) == S_IROTH && // readable by others + (stat_info.st_mode & S_IFLNK) != S_IFLNK && // and not a symlink + ((stat_info.st_mode & S_IFREG) == S_IFREG || + (stat_info.st_mode & S_IFIFO) == S_IFIFO))) + { + my_error(ER_TEXTFILE_NOT_READABLE, MYF(0), name); + DBUG_RETURN(TRUE); + } + if ((stat_info.st_mode & S_IFIFO) == S_IFIFO) + is_fifo = 1; +#endif + if ((file=my_open(name,O_RDONLY,MYF(MY_WME))) < 0) DBUG_RETURN(TRUE); } From c1fce59c3d9a9dd100dd7048f21451505068f27b Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Thu, 23 Dec 2010 13:35:42 +0200 Subject: [PATCH 10/13] fixed the binlog problem --- mysql-test/suite/binlog/r/binlog_unsafe.result | 2 +- mysql-test/suite/binlog/t/binlog_unsafe.test | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mysql-test/suite/binlog/r/binlog_unsafe.result b/mysql-test/suite/binlog/r/binlog_unsafe.result index 77fe5eb0b5e..e0e0babb8b7 100644 --- a/mysql-test/suite/binlog/r/binlog_unsafe.result +++ b/mysql-test/suite/binlog/r/binlog_unsafe.result @@ -271,7 +271,7 @@ INSERT INTO t1 SELECT * FROM t2 LIMIT 1; DROP TABLE t1,t2; "Should NOT have any warning message issued in the following func7() and trig" CREATE TABLE t1 (a INT); -CREATE TABLE t2 (a CHAR(40)); +CREATE TABLE t2 (a TEXT); CREATE TABLE trigger_table (a CHAR(7)); CREATE FUNCTION func7() RETURNS INT diff --git a/mysql-test/suite/binlog/t/binlog_unsafe.test b/mysql-test/suite/binlog/t/binlog_unsafe.test index a86e49e475a..1e2e31eacf7 100644 --- a/mysql-test/suite/binlog/t/binlog_unsafe.test +++ b/mysql-test/suite/binlog/t/binlog_unsafe.test @@ -329,7 +329,7 @@ DROP TABLE t1,t2; --echo "Should NOT have any warning message issued in the following func7() and trig" CREATE TABLE t1 (a INT); -CREATE TABLE t2 (a CHAR(40)); +CREATE TABLE t2 (a TEXT); CREATE TABLE trigger_table (a CHAR(7)); DELIMITER |; CREATE FUNCTION func7() From 95cc85dbf515991ea1b19307cacce5c4ba24f21d Mon Sep 17 00:00:00 2001 From: Jimmy Yang Date: Thu, 6 Jan 2011 23:45:59 -0800 Subject: [PATCH 11/13] Backport Bug #58643 InnoDB: too long table name. Also fix Bug #59312 examine MAX_FULL_NAME_LEN in InnoDB to address possible insufficient name buffer Bug #59312 Approved by Sunny Bains --- storage/innodb_plugin/ChangeLog | 10 ++++++++++ storage/innodb_plugin/dict/dict0dict.c | 10 +++++----- storage/innodb_plugin/handler/ha_innodb.cc | 10 ++++++++++ storage/innodb_plugin/handler/i_s.cc | 11 +---------- storage/innodb_plugin/include/univ.i | 12 ++++++++++++ storage/innodb_plugin/row/row0merge.c | 4 ++-- 6 files changed, 40 insertions(+), 17 deletions(-) diff --git a/storage/innodb_plugin/ChangeLog b/storage/innodb_plugin/ChangeLog index 5ca60eb73d5..34d0fe7f6ef 100644 --- a/storage/innodb_plugin/ChangeLog +++ b/storage/innodb_plugin/ChangeLog @@ -1,3 +1,13 @@ +2011-01-06 The InnoDB Team + * row/row0merge.c: + Fix Bug#59312 Examine MAX_FULL_NAME_LEN in InnoDB to address + possible insufficient name buffer + +2011-01-06 The InnoDB Team + * dict/dict0dict.c, handler/ha_innodb.cc, handler/i_s.cc, + include/univ.i: + Fix Bug#58643 InnoDB: too long table name + 2010-11-11 The InnoDB Team * thr/thr0loc.c, trx/trx0i_s.c: Fix Bug#57802 Empty ASSERTION parameter passed to the HASH_SEARCH macro diff --git a/storage/innodb_plugin/dict/dict0dict.c b/storage/innodb_plugin/dict/dict0dict.c index eb3169bd176..2e936e27065 100644 --- a/storage/innodb_plugin/dict/dict0dict.c +++ b/storage/innodb_plugin/dict/dict0dict.c @@ -932,7 +932,7 @@ dict_table_rename_in_cache( dict_foreign_t* foreign; dict_index_t* index; ulint fold; - char old_name[MAX_TABLE_NAME_LEN + 1]; + char old_name[MAX_FULL_NAME_LEN + 1]; ut_ad(table); ut_ad(mutex_own(&(dict_sys->mutex))); @@ -944,7 +944,7 @@ dict_table_rename_in_cache( ut_print_timestamp(stderr); fprintf(stderr, "InnoDB: too long table name: '%s', " "max length is %d\n", table->name, - MAX_TABLE_NAME_LEN); + MAX_FULL_NAME_LEN); ut_error; } @@ -994,11 +994,11 @@ dict_table_rename_in_cache( ut_fold_string(old_name), table); if (strlen(new_name) > strlen(table->name)) { - /* We allocate MAX_TABLE_NAME_LEN+1 bytes here to avoid + /* We allocate MAX_FULL_NAME_LEN + 1 bytes here to avoid memory fragmentation, we assume a repeated calls of ut_realloc() with the same size do not cause fragmentation */ - ut_a(strlen(new_name) <= MAX_TABLE_NAME_LEN); - table->name = ut_realloc(table->name, MAX_TABLE_NAME_LEN + 1); + ut_a(strlen(new_name) <= MAX_FULL_NAME_LEN); + table->name = ut_realloc(table->name, MAX_FULL_NAME_LEN + 1); } memcpy(table->name, new_name, strlen(new_name) + 1); diff --git a/storage/innodb_plugin/handler/ha_innodb.cc b/storage/innodb_plugin/handler/ha_innodb.cc index 5965bd0e59e..c0e3163d717 100644 --- a/storage/innodb_plugin/handler/ha_innodb.cc +++ b/storage/innodb_plugin/handler/ha_innodb.cc @@ -6009,6 +6009,16 @@ create_table_def( DBUG_RETURN(HA_ERR_GENERIC); } + /* MySQL does the name length check. But we do additional check + on the name length here */ + if (strlen(table_name) > MAX_FULL_NAME_LEN) { + push_warning_printf( + (THD*) trx->mysql_thd, MYSQL_ERROR::WARN_LEVEL_WARN, + ER_TABLE_NAME, + "InnoDB: Table Name or Database Name is too long"); + DBUG_RETURN(ER_TABLE_NAME); + } + n_cols = form->s->fields; /* We pass 0 as the space id, and determine at a lower level the space diff --git a/storage/innodb_plugin/handler/i_s.cc b/storage/innodb_plugin/handler/i_s.cc index 9ad2d656365..0ef4f77ed3e 100644 --- a/storage/innodb_plugin/handler/i_s.cc +++ b/storage/innodb_plugin/handler/i_s.cc @@ -579,16 +579,7 @@ fill_innodb_locks_from_cache( for (i = 0; i < rows_num; i++) { i_s_locks_row_t* row; - - /* note that the decoded database or table name is - never expected to be longer than NAME_LEN; - NAME_LEN for database name - 2 for surrounding quotes around database name - NAME_LEN for table name - 2 for surrounding quotes around table name - 1 for the separating dot (.) - 9 for the #mysql50# prefix */ - char buf[2 * NAME_LEN + 14]; + char buf[MAX_FULL_NAME_LEN + 1]; const char* bufend; char lock_trx_id[TRX_ID_MAX_LEN + 1]; diff --git a/storage/innodb_plugin/include/univ.i b/storage/innodb_plugin/include/univ.i index cab3af5297e..4e74411628e 100644 --- a/storage/innodb_plugin/include/univ.i +++ b/storage/innodb_plugin/include/univ.i @@ -296,6 +296,18 @@ number does not include a terminating '\0'. InnoDB probably can handle longer names internally */ #define MAX_TABLE_NAME_LEN 192 +/* The maximum length of a database name. Like MAX_TABLE_NAME_LEN this is +the MySQL's NAME_LEN, see check_and_convert_db_name(). */ +#define MAX_DATABASE_NAME_LEN MAX_TABLE_NAME_LEN + +/* MAX_FULL_NAME_LEN defines the full name path including the +database name and table name. In addition, 14 bytes is added for: + 2 for surrounding quotes around table name + 1 for the separating dot (.) + 9 for the #mysql50# prefix */ +#define MAX_FULL_NAME_LEN \ + (MAX_TABLE_NAME_LEN + MAX_DATABASE_NAME_LEN + 14) + /* UNIVERSAL TYPE DEFINITIONS ========================== diff --git a/storage/innodb_plugin/row/row0merge.c b/storage/innodb_plugin/row/row0merge.c index 160edd32fbf..647d0031635 100644 --- a/storage/innodb_plugin/row/row0merge.c +++ b/storage/innodb_plugin/row/row0merge.c @@ -2341,7 +2341,7 @@ row_merge_rename_tables( { ulint err = DB_ERROR; pars_info_t* info; - char old_name[MAX_TABLE_NAME_LEN + 1]; + char old_name[MAX_FULL_NAME_LEN + 1]; ut_ad(trx->mysql_thread_id == os_thread_get_curr_id()); ut_ad(old_table != new_table); @@ -2356,7 +2356,7 @@ row_merge_rename_tables( ut_print_timestamp(stderr); fprintf(stderr, "InnoDB: too long table name: '%s', " "max length is %d\n", old_table->name, - MAX_TABLE_NAME_LEN); + MAX_FULL_NAME_LEN); ut_error; } From 651313bf91d7771831de7228bb4130f0ac64c33a Mon Sep 17 00:00:00 2001 From: Oystein Grovlen Date: Wed, 12 Jan 2011 10:37:15 +0100 Subject: [PATCH 12/13] Bug#59211: Select Returns Different Value for min(year) Function get_year_value() contains code to convert 2-digits year to 4-digits. The fix for Bug#49910 added a check on the size of the underlying field so that this conversion is not done for YEAR(4) values. (Since otherwise one would convert invalid YEAR(4) values to valid ones.) The existing check does not work when Item_cache is used, since it is not detected when the cache is based on a Field. The reported change in behavior is due to Bug#58030 which added extra cached items in min/max computations. The elegant solution would be to implement Item_cache::real_item() to return the underlying Item. However, some side effects are observed (change in explain output) that indicates that such a change is not straight- forward, and definitely not appropriate for an MRU. Instead, a Item_cache::field() method has been added in order to get access to the underlying field. (This field() method eliminates the need for Item_cache::eq_def() used in test_if_ref(), but in order to limit the scope of this fix, that code has been left as is.) mysql-test/r/type_year.result: Added test case for Bug#59211. mysql-test/t/type_year.test: Added test case for Bug#59211. sql/item.h: Added function Item_cache::field() to get access to the underlying Field of a cached field Value. sql/item_cmpfunc.cc: Also check underlying fields of Item_cache, not just Item_Field, when checking whether the value is of type YEAR(4) or not. --- mysql-test/r/type_year.result | 14 ++++++++++++++ mysql-test/t/type_year.test | 10 ++++++++++ sql/item.h | 13 ++++++++++--- sql/item_cmpfunc.cc | 9 ++++++--- 4 files changed, 40 insertions(+), 6 deletions(-) diff --git a/mysql-test/r/type_year.result b/mysql-test/r/type_year.result index 8948214f565..2dc491c6166 100644 --- a/mysql-test/r/type_year.result +++ b/mysql-test/r/type_year.result @@ -341,4 +341,18 @@ ta_y s tb_y s 2001 2001 2001 2001 DROP TABLE t1; # +# Bug #59211: Select Returns Different Value for min(year) Function +# +CREATE TABLE t1(c1 YEAR(4)); +INSERT INTO t1 VALUES (1901),(2155),(0000); +SELECT * FROM t1; +c1 +1901 +2155 +0000 +SELECT COUNT(*) AS total_rows, MIN(c1) AS min_value, MAX(c1) FROM t1; +total_rows min_value MAX(c1) +3 0 2155 +DROP TABLE t1; +# End of 5.1 tests diff --git a/mysql-test/t/type_year.test b/mysql-test/t/type_year.test index d8da4ccc82c..1a9e66478e1 100644 --- a/mysql-test/t/type_year.test +++ b/mysql-test/t/type_year.test @@ -149,6 +149,16 @@ SELECT ta.y AS ta_y, ta.s, tb.y AS tb_y, tb.s FROM t1 ta, t1 tb HAVING ta_y = tb DROP TABLE t1; +--echo # +--echo # Bug #59211: Select Returns Different Value for min(year) Function +--echo # + +CREATE TABLE t1(c1 YEAR(4)); +INSERT INTO t1 VALUES (1901),(2155),(0000); +SELECT * FROM t1; +SELECT COUNT(*) AS total_rows, MIN(c1) AS min_value, MAX(c1) FROM t1; +DROP TABLE t1; + --echo # --echo End of 5.1 tests diff --git a/sql/item.h b/sql/item.h index eb809ca410f..fdf8d4906d1 100644 --- a/sql/item.h +++ b/sql/item.h @@ -2960,11 +2960,10 @@ class Item_cache: public Item_basic_constant protected: Item *example; table_map used_table_map; - /* - Field that this object will get value from. This is set/used by + /** + Field that this object will get value from. This is used by index-based subquery engines to detect and remove the equality injected by IN->EXISTS transformation. - For all other uses of Item_cache, cached_field doesn't matter. */ Field *cached_field; enum enum_field_types cached_field_type; @@ -3021,6 +3020,14 @@ public: { return this == item; } + + /** + If this item caches a field value, return pointer to underlying field. + + @return Pointer to field, or NULL if this is not a cache for a field value. + */ + Field* field() { return cached_field; } + virtual void store(Item *item); virtual bool cache_value()= 0; }; diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc index d2e1ebbb3a1..4f2034ae902 100644 --- a/sql/item_cmpfunc.cc +++ b/sql/item_cmpfunc.cc @@ -1196,9 +1196,12 @@ get_year_value(THD *thd, Item ***item_arg, Item **cache_arg, value of 2000. */ Item *real_item= item->real_item(); - if (!(real_item->type() == Item::FIELD_ITEM && - ((Item_field *)real_item)->field->type() == MYSQL_TYPE_YEAR && - ((Item_field *)real_item)->field->field_length == 4)) + Field *field= NULL; + if (real_item->type() == Item::FIELD_ITEM) + field= ((Item_field *)real_item)->field; + else if (real_item->type() == Item::CACHE_ITEM) + field= ((Item_cache *)real_item)->field(); + if (!(field && field->type() == MYSQL_TYPE_YEAR && field->field_length == 4)) { if (value < 70) value+= 100; From de3c4428b8c759e85631d8d70b5845c872de5400 Mon Sep 17 00:00:00 2001 From: Karen Langford Date: Tue, 25 Jan 2011 15:42:40 +0100 Subject: [PATCH 13/13] Updating header copyright/README in source for 2011 --- README | 2 +- include/my_pthread.h | 2 +- include/my_sys.h | 2 +- mysys/my_fopen.c | 2 +- mysys/my_getsystime.c | 2 +- sql/handler.cc | 2 +- sql/item.h | 2 +- sql/item_cmpfunc.cc | 2 +- sql/item_geofunc.h | 2 +- sql/log.cc | 2 +- sql/net_serv.cc | 2 +- sql/sql_base.cc | 2 +- sql/sql_select.cc | 2 +- sql/sql_show.cc | 2 +- sql/sql_view.cc | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/README b/README index 5463de4a7e8..48948352e12 100644 --- a/README +++ b/README @@ -5,7 +5,7 @@ For the avoidance of doubt, this particular copy of the software is released under the version 2 of the GNU General Public License. MySQL is brought to you by the MySQL team at Oracle. -Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. License information can be found in the COPYING file. diff --git a/include/my_pthread.h b/include/my_pthread.h index 3880511da2d..87cdaaad0dd 100644 --- a/include/my_pthread.h +++ b/include/my_pthread.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2000 MySQL AB +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/include/my_sys.h b/include/my_sys.h index 0ac220cec31..f6cd9dada99 100644 --- a/include/my_sys.h +++ b/include/my_sys.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/mysys/my_fopen.c b/mysys/my_fopen.c index b8373ecb3ab..72991490d75 100644 --- a/mysys/my_fopen.c +++ b/mysys/my_fopen.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2000 MySQL AB +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/mysys/my_getsystime.c b/mysys/my_getsystime.c index dfd99f6380d..ebe6cea842b 100644 --- a/mysys/my_getsystime.c +++ b/mysys/my_getsystime.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2004 MySQL AB +/* Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/handler.cc b/sql/handler.cc index 711d2942ce0..5968a78b587 100644 --- a/sql/handler.cc +++ b/sql/handler.cc @@ -1,4 +1,4 @@ -/* Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/item.h b/sql/item.h index 866d620d9d7..8568e89542e 100644 --- a/sql/item.h +++ b/sql/item.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc index 4f2034ae902..df5ed7f38de 100644 --- a/sql/item_cmpfunc.cc +++ b/sql/item_cmpfunc.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/item_geofunc.h b/sql/item_geofunc.h index 08161badfd3..0a6e8d03a46 100644 --- a/sql/item_geofunc.h +++ b/sql/item_geofunc.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2000-2003 MySQL AB +/* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/log.cc b/sql/log.cc index 23182fa1902..17642696e7d 100644 --- a/sql/log.cc +++ b/sql/log.cc @@ -1,4 +1,4 @@ -/* Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/net_serv.cc b/sql/net_serv.cc index 0c559f5619d..e45d57e57dc 100644 --- a/sql/net_serv.cc +++ b/sql/net_serv.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 995520ab16f..9765148cda1 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 8cc2ec6a0f8..95378db80d1 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/sql_show.cc b/sql/sql_show.cc index cf6a34d4ef5..1524a8fb87f 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/sql/sql_view.cc b/sql/sql_view.cc index a25ef931344..ab6da7c1925 100644 --- a/sql/sql_view.cc +++ b/sql/sql_view.cc @@ -1,4 +1,4 @@ -/* Copyright (C) 2004 MySQL AB +/* Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by