Fix for BUG#59894

"set optimizer_switch to e or d causes invalid memory writes/valgrind warnings":
due to prefix support, the argument "e" was overwritten with its full value
"engine_condition_pushdown", which caused a buffer overrun.
This was wrong usage of find_type(); other wrong usages are fixed here too.
Please start reading with the comment of typelib.c.
This commit is contained in:
Guilhem Bichot 2011-02-11 15:00:09 +01:00
parent e9fc441a52
commit 77c0f33ee2
20 changed files with 136 additions and 62 deletions

View file

@ -369,7 +369,8 @@ int main(int argc,char *argv[])
/* Return 0 if all commands are PING */
for (; argc > 0; argv++, argc--)
{
if (find_type(argv[0], &command_typelib, 2) != ADMIN_PING)
if (find_type(argv[0], &command_typelib, FIND_TYPE_BASIC) !=
ADMIN_PING)
{
error= 1;
break;
@ -592,7 +593,7 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
for (; argc > 0 ; argv++,argc--)
{
switch (find_type(argv[0],&command_typelib,2)) {
switch (find_type(argv[0],&command_typelib, FIND_TYPE_BASIC)) {
case ADMIN_CREATE:
{
char buff[FN_REFLEN+20];
@ -931,7 +932,7 @@ static int execute_commands(MYSQL *mysql,int argc, char **argv)
if (typed_password[0])
{
bool old= (find_type(argv[0], &command_typelib, 2) ==
bool old= (find_type(argv[0], &command_typelib, FIND_TYPE_BASIC) ==
ADMIN_OLD_PASSWORD);
#ifdef __WIN__
size_t pw_len= strlen(typed_password);

View file

@ -1,4 +1,4 @@
/* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -4644,7 +4644,7 @@ static ulong find_set(TYPELIB *lib, const char *x, uint length,
for (; pos != end && *pos != ','; pos++) ;
var_len= (uint) (pos - start);
strmake(buff, start, min(sizeof(buff) - 1, var_len));
find= find_type(buff, lib, var_len);
find= find_type(buff, lib, FIND_TYPE_BASIC);
if (!find)
{
*err_pos= (char*) start;

View file

@ -8017,7 +8017,7 @@ void get_command_type(struct st_command* command)
save= command->query[command->first_word_len];
command->query[command->first_word_len]= 0;
type= find_type(command->query, &command_typelib, 1+2);
type= find_type(command->query, &command_typelib, FIND_TYPE_NO_PREFIX);
command->query[command->first_word_len]= save;
if (type > 0)
{

View file

@ -227,7 +227,7 @@ typedef struct st_typelib {
extern my_ulonglong find_typeset(char *x, TYPELIB *typelib,int *error_position);
extern int find_type_or_exit(const char *x, TYPELIB *typelib,
const char *option);
extern int find_type(char *x, const TYPELIB *typelib, unsigned int full_name);
extern int find_type(const char *x, const TYPELIB *typelib, unsigned int flags);
extern void make_type(char *to,unsigned int nr,TYPELIB *typelib);
extern const char *get_type(TYPELIB *typelib,unsigned int nr);
extern TYPELIB *copy_typelib(MEM_ROOT *root, TYPELIB *from);

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000 MySQL AB
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -29,7 +29,17 @@ typedef struct st_typelib { /* Different types saved here */
extern my_ulonglong find_typeset(char *x, TYPELIB *typelib,int *error_position);
extern int find_type_or_exit(const char *x, TYPELIB *typelib,
const char *option);
extern int find_type(char *x, const TYPELIB *typelib, unsigned int full_name);
#define FIND_TYPE_BASIC 0
/** makes @c find_type() require the whole name, no prefix */
#define FIND_TYPE_NO_PREFIX (1 << 0)
/** always implicitely on, so unused, but old code may pass it */
#define FIND_TYPE_NO_OVERWRITE (1 << 1)
/** makes @c find_type() accept a number */
#define FIND_TYPE_ALLOW_NUMBER (1 << 2)
/** makes @c find_type() treat ',' as terminator */
#define FIND_TYPE_COMMA_TERM (1 << 3)
extern int find_type(const char *x, const TYPELIB *typelib, unsigned int flags);
extern void make_type(char *to,unsigned int nr,TYPELIB *typelib);
extern const char *get_type(TYPELIB *typelib,unsigned int nr);
extern TYPELIB *copy_typelib(MEM_ROOT *root, TYPELIB *from);

View file

@ -4593,3 +4593,35 @@ DROP TABLE `comment_table`;
#
# End of 5.1 tests
#
#
# Verify that two modes can be given in --compatible;
# and are reflected in SET SQL_MODE in the mysqldump output.
# Also verify that a prefix of the mode's name is enough.
#
CREATE TABLE t1 (a INT);
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO,NO_TABLE_OPTIONS,NO_FIELD_OPTIONS' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
DROP TABLE IF EXISTS `t1`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `t1` (
`a` int(11) DEFAULT NULL
);
/*!40101 SET character_set_client = @saved_cs_client */;
LOCK TABLES `t1` WRITE;
/*!40000 ALTER TABLE `t1` DISABLE KEYS */;
/*!40000 ALTER TABLE `t1` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
DROP TABLE t1;

View file

@ -60,6 +60,13 @@ set session optimizer_switch="index_merge";
ERROR 42000: Variable 'optimizer_switch' can't be set to the value of 'index_merge'
set session optimizer_switch="foobar";
ERROR 42000: Variable 'optimizer_switch' can't be set to the value of 'foobar'
#
# Bug#59894 set optimizer_switch to e or d causes invalid
# memory writes/valgrind warnings
set global optimizer_switch = 'd';
set global optimizer_switch = 'e';
ERROR 42000: Variable 'optimizer_switch' can't be set to the value of 'e'
SET @@global.optimizer_switch = @start_global_value;
SELECT @@global.optimizer_switch;
@@global.optimizer_switch

View file

@ -46,5 +46,13 @@ set session optimizer_switch="index_merge";
--error ER_WRONG_VALUE_FOR_VAR
set session optimizer_switch="foobar";
--echo #
--echo # Bug#59894 set optimizer_switch to e or d causes invalid
--echo # memory writes/valgrind warnings
--echo
set global optimizer_switch = 'd'; # means default
--error ER_WRONG_VALUE_FOR_VAR
set global optimizer_switch = 'e';
SET @@global.optimizer_switch = @start_global_value;
SELECT @@global.optimizer_switch;

View file

@ -2182,5 +2182,15 @@ DROP TABLE `comment_table`;
--echo # End of 5.1 tests
--echo #
--echo #
--echo # Verify that two modes can be given in --compatible;
--echo # and are reflected in SET SQL_MODE in the mysqldump output.
--echo # Also verify that a prefix of the mode's name is enough.
--echo #
CREATE TABLE t1 (a INT);
# no_t = no_table_options; no_f = no_field_options
--exec $MYSQL_DUMP --compatible=no_t,no_f --skip-comments test
DROP TABLE t1;
# Wait till we reached the initial number of concurrent sessions
--source include/wait_until_count_sessions.inc

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2003 MySQL AB, 2008-2009 Sun Microsystems, Inc
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -376,7 +376,7 @@ static int handle_default_option(void *in_ctx, const char *group_name,
if (!option)
return 0;
if (find_type((char *)group_name, ctx->group, 3))
if (find_type((char *)group_name, ctx->group, FIND_TYPE_NO_PREFIX))
{
if (!(tmp= alloc_root(ctx->alloc, strlen(option) + 1)))
return 1;

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2002-2006 MySQL AB, 2008-2009 Sun Microsystems, Inc
/* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -695,7 +695,7 @@ static int setval(const struct my_option *opts, void *value, char *argument,
break;
case GET_ENUM:
{
int type= find_type(argument, opts->typelib, 2);
int type= find_type(argument, opts->typelib, FIND_TYPE_BASIC);
if (type == 0)
{
/*

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000 MySQL AB
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -27,7 +27,7 @@ int find_type_or_exit(const char *x, TYPELIB *typelib, const char *option)
int res;
const char **ptr;
if ((res= find_type((char *) x, typelib, 2)) <= 0)
if ((res= find_type((char *) x, typelib, FIND_TYPE_BASIC)) <= 0)
{
ptr= typelib->type_names;
if (!*x)
@ -48,16 +48,13 @@ int find_type_or_exit(const char *x, TYPELIB *typelib, const char *option)
Search after a string in a list of strings. Endspace in x is not compared.
@param x String to find
@param lib TYPELIB (struct of pointer to values + count)
@param full_name bitmap of what to do
If & 1 accept only whole names
If & 2 don't expand if half field
If & 4 allow #number# as type
If & 8 use ',' as string terminator
@note
If part, uniq field is found and full_name == 0 then x is expanded
to full field.
@param typelib TYPELIB (struct of pointer to values + count)
@param flags flags to tune behaviour: a combination of
FIND_TYPE_NO_PREFIX
FIND_TYPE_ALLOW_NUMBER
FIND_TYPE_COMMA_TERM.
FIND_TYPE_NO_OVERWRITE can be passed but is
superfluous (is always implicitely on).
@retval
-1 Too many matching values
@ -68,15 +65,17 @@ int find_type_or_exit(const char *x, TYPELIB *typelib, const char *option)
*/
int find_type(char *x, const TYPELIB *typelib, uint full_name)
int find_type(const char *x, const TYPELIB *typelib, uint flags)
{
int find,pos;
int UNINIT_VAR(findpos); /* guarded by find */
reg1 char * i;
reg2 const char *j;
const char *i;
const char *j;
DBUG_ENTER("find_type");
DBUG_PRINT("enter",("x: '%s' lib: 0x%lx", x, (long) typelib));
DBUG_ASSERT(!(flags & ~(FIND_TYPE_NO_PREFIX | FIND_TYPE_ALLOW_NUMBER |
FIND_TYPE_NO_OVERWRITE | FIND_TYPE_COMMA_TERM)));
if (!typelib->count)
{
DBUG_PRINT("exit",("no count"));
@ -86,24 +85,26 @@ int find_type(char *x, const TYPELIB *typelib, uint full_name)
for (pos=0 ; (j=typelib->type_names[pos]) ; pos++)
{
for (i=x ;
*i && (!(full_name & 8) || !is_field_separator(*i)) &&
*i && (!(flags & FIND_TYPE_COMMA_TERM) || !is_field_separator(*i)) &&
my_toupper(&my_charset_latin1,*i) ==
my_toupper(&my_charset_latin1,*j) ; i++, j++) ;
if (! *j)
{
while (*i == ' ')
i++; /* skip_end_space */
if (! *i || ((full_name & 8) && is_field_separator(*i)))
if (! *i || ((flags & FIND_TYPE_COMMA_TERM) && is_field_separator(*i)))
DBUG_RETURN(pos+1);
}
if ((!*i && (!(full_name & 8) || !is_field_separator(*i))) &&
(!*j || !(full_name & 1)))
if ((!*i &&
(!(flags & FIND_TYPE_COMMA_TERM) || !is_field_separator(*i))) &&
(!*j || !(flags & FIND_TYPE_NO_PREFIX)))
{
find++;
findpos=pos;
}
}
if (find == 0 && (full_name & 4) && x[0] == '#' && strend(x)[-1] == '#' &&
if (find == 0 && (flags & FIND_TYPE_ALLOW_NUMBER) && x[0] == '#' &&
strend(x)[-1] == '#' &&
(findpos=atoi(x+1)-1) >= 0 && (uint) findpos < typelib->count)
find=1;
else if (find == 0 || ! x[0])
@ -111,13 +112,11 @@ int find_type(char *x, const TYPELIB *typelib, uint full_name)
DBUG_PRINT("exit",("Couldn't find type"));
DBUG_RETURN(0);
}
else if (find != 1 || (full_name & 1))
else if (find != 1 || (flags & FIND_TYPE_NO_PREFIX))
{
DBUG_PRINT("exit",("Too many possybilities"));
DBUG_RETURN(-1);
}
if (!(full_name & 2))
(void) strmov(x,typelib->type_names[findpos]);
DBUG_RETURN(findpos+1);
} /* find_type */
@ -192,7 +191,7 @@ my_ulonglong find_typeset(char *x, TYPELIB *lib, int *err)
x++;
if (x[0] && x[1]) /* skip separator if found */
x++;
if ((find= find_type(i, lib, 2 | 8) - 1) < 0)
if ((find= find_type(i, lib, FIND_TYPE_COMMA_TERM) - 1) < 0)
DBUG_RETURN(0);
result|= (ULL(1) << find);
}
@ -276,7 +275,7 @@ static TYPELIB on_off_default_typelib= {array_elements(on_off_default_names)-1,
static uint parse_name(const TYPELIB *lib, const char **strpos, const char *end)
{
const char *pos= *strpos;
uint find= find_type((char*)pos, lib, 8);
uint find= find_type(pos, lib, FIND_TYPE_COMMA_TERM);
for (; pos != end && *pos != '=' && *pos !=',' ; pos++);
*strpos= pos;
return find;

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2003 MySQL AB
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -1145,10 +1145,10 @@ enum option_id {
OPT_ssl_key, OPT_ssl_cert, OPT_ssl_ca, OPT_ssl_capath,
OPT_character_sets_dir, OPT_default_character_set, OPT_interactive_timeout,
OPT_connect_timeout, OPT_local_infile, OPT_disable_local_infile,
OPT_replication_probe, OPT_enable_reads_from_master, OPT_repl_parse_query,
OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol, OPT_shared_memory_base_name,
OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_secure_auth,
OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth,
OPT_keep_this_one_last
};
static TYPELIB option_types={array_elements(default_options)-1,
@ -1198,6 +1198,9 @@ void mysql_read_default_options(struct st_mysql_options *options,
DBUG_ENTER("mysql_read_default_options");
DBUG_PRINT("enter",("file: %s group: %s",filename,group ? group :"NULL"));
compile_time_assert(OPT_keep_this_one_last ==
array_elements(default_options));
argc=1; argv=argv_buff; argv_buff[0]= (char*) "client";
groups[0]= (char*) "client"; groups[1]= (char*) group; groups[2]=0;
@ -1222,7 +1225,7 @@ void mysql_read_default_options(struct st_mysql_options *options,
/* Change all '_' in variable name to '-' */
for (end= *option ; *(end= strcend(end,'_')) ; )
*end= '-';
switch (find_type(*option+2,&option_types,2)) {
switch (find_type(*option + 2, &option_types, FIND_TYPE_BASIC)) {
case OPT_port:
if (opt_arg)
options->port=atoi(opt_arg);
@ -1338,8 +1341,8 @@ void mysql_read_default_options(struct st_mysql_options *options,
options->max_allowed_packet= atoi(opt_arg);
break;
case OPT_protocol:
if ((options->protocol= find_type(opt_arg,
&sql_protocol_typelib,0)) <= 0)
if ((options->protocol= find_type(opt_arg, &sql_protocol_typelib,
FIND_TYPE_BASIC)) <= 0)
{
fprintf(stderr, "Unknown option to protocol: %s\n", opt_arg);
exit(1);

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2003 MySQL AB, 2008-2009 Sun Microsystems, Inc
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -1038,9 +1038,9 @@ static bool find_db_tables_and_rm_known_files(THD *thd, MY_DIR *dirp,
}
if (!(extension= strrchr(file->name, '.')))
extension= strend(file->name);
if (find_type(extension, &deletable_extentions,1+2) <= 0)
if (find_type(extension, &deletable_extentions, FIND_TYPE_NO_PREFIX) <= 0)
{
if (find_type(extension, ha_known_exts(),1+2) <= 0)
if (find_type(extension, ha_known_exts(), FIND_TYPE_NO_PREFIX) <= 0)
*found_other_files= true;
continue;
}

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2004 MySQL AB, 2008-2009 Sun Microsystems, Inc
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -613,7 +613,8 @@ retry:
if (keyname)
{
if ((keyno=find_type(keyname, &table->s->keynames, 1+2)-1)<0)
if ((keyno= find_type(keyname, &table->s->keynames,
FIND_TYPE_NO_PREFIX) - 1) < 0)
{
my_error(ER_KEY_DOES_NOT_EXITS, MYF(0), keyname, tables->alias);
goto err;

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000 MySQL AB
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -284,10 +284,12 @@ int get_topics_for_keyword(THD *thd, TABLE *topics, TABLE *relations,
Field *rtopic_id, *rkey_id;
DBUG_ENTER("get_topics_for_keyword");
if ((iindex_topic= find_type((char*) primary_key_name,
&topics->s->keynames, 1+2)-1)<0 ||
(iindex_relations= find_type((char*) primary_key_name,
&relations->s->keynames, 1+2)-1)<0)
if ((iindex_topic=
find_type(primary_key_name, &topics->s->keynames,
FIND_TYPE_NO_PREFIX) - 1) < 0 ||
(iindex_relations=
find_type(primary_key_name, &relations->s->keynames,
FIND_TYPE_NO_PREFIX) - 1) < 0)
{
my_message(ER_CORRUPT_HELP_DB, ER(ER_CORRUPT_HELP_DB), MYF(0));
DBUG_RETURN(-1);

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2003 MySQL AB
/* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -96,7 +96,7 @@ ulonglong find_set(TYPELIB *lib, const char *str, uint length, CHARSET_INFO *cs,
/*
Function to find a string in a TYPELIB
(Same format as mysys/typelib.c)
(similar to find_type() of mysys/typelib.c)
SYNOPSIS
find_type()

View file

@ -1444,8 +1444,8 @@ static int open_binary_frm(THD *thd, TABLE_SHARE *share, uchar *head,
/* Fix key->name and key_part->field */
if (key_parts)
{
uint primary_key=(uint) (find_type((char*) primary_key_name,
&share->keynames, 3) - 1);
uint primary_key=(uint) (find_type(primary_key_name, &share->keynames,
FIND_TYPE_NO_PREFIX) - 1);
longlong ha_option= handler_file->ha_table_flags();
keyinfo= share->key_info;
key_part= keyinfo->key_part;

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2003 MySQL AB
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -673,7 +673,8 @@ get_one_option(int optid,
int method;
enum_mi_stats_method UNINIT_VAR(method_conv);
myisam_stats_method_str= argument;
if ((method=find_type(argument, &myisam_stats_method_typelib, 2)) <= 0)
if ((method= find_type(argument, &myisam_stats_method_typelib,
FIND_TYPE_BASIC)) <= 0)
{
fprintf(stderr, "Invalid value of stats_method: %s.\n", argument);
exit(1);

View file

@ -1,4 +1,4 @@
/* Copyright (C) 2000-2006 MySQL AB, 2008-2009 Sun Microsystems, Inc
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -77,7 +77,7 @@ MYRG_INFO *myrg_open(const char *name, int mode, int handle_locking)
{
if (!strncmp(buff+1,"INSERT_METHOD=",14))
{ /* Lookup insert method */
int tmp=find_type(buff+15,&merge_insert_method,2);
int tmp= find_type(buff + 15, &merge_insert_method, FIND_TYPE_BASIC);
found_merge_insert_method = (uint) (tmp >= 0 ? tmp : 0);
}
continue; /* Skip comments */
@ -271,7 +271,7 @@ MYRG_INFO *myrg_parent_open(const char *parent_name,
{
/* Compare buffer with global methods list: merge_insert_method. */
insert_method= find_type(child_name_buff + 15,
&merge_insert_method, 2);
&merge_insert_method, FIND_TYPE_BASIC);
}
continue;
}