The problem was that a user could supply supply data in chunks
via the COM_STMT_SEND_LONG_DATA command to prepared statement
parameter other than of type TEXT or BLOB. This posed a problem
since other parameter types aren't setup to handle long data,
which would lead to a crash when attempting to use the supplied
data.
Given that long data can be supplied at any stage of a prepared
statement, coupled with the fact that the type of a parameter
marker might change between consecutive executions, the solution
is to validate at execution time each parameter marker for which
a data stream was provided. If the parameter type is not TEXT or
BLOB (that is, if the type is not able to handle a data stream),
a error is returned.
sql/sql_prepare.cc:
Before converting the parameter data stream, check the type
compatibility.
tests/mysql_client_test.c:
Add test case.
strict aliasing violations.
Essentially, the problem is that large parts of the server were
developed in simpler times (last decades, pre C99 standard) when
strict aliasing and compilers supporting such optimizations were
rare to non-existent. Thus, when compiling the server with a modern
compiler that uses strict aliasing rules to perform optimizations,
there are several places in the code that might trigger undefined
behavior.
As evinced by some recent bugs, GCC does a somewhat good of job
misoptimizing such code, but on the other hand also gives warnings
about suspicious code. One problem is that the warnings aren't
always accurate, yet we can't afford to just shut them off as we
might miss real cases. False-positive cases are aggravated mostly
by casts that are likely to trigger undefined behavior.
The solution is to start a cleanup process focused on fixing and
reducing the amount of strict-aliasing related warnings produced
by GCC and others compilers. A good deal of noise reduction can
be achieved by just removing useless casts that are product of
historical cruft and are likely to trigger undefined behavior if
dereferenced.
client/mysql.cc:
Remove now-unnecessary casts.
Break up large strings.
client/mysql_upgrade.c:
Remove now-unnecessary casts.
client/mysqladmin.cc:
Remove now-unnecessary casts.
Break up large strings.
client/mysqlbinlog.cc:
Remove now-unnecessary casts.
client/mysqlcheck.c:
Remove now-unnecessary casts.
client/mysqldump.c:
Remove now-unnecessary casts.
client/mysqlimport.c:
Remove now-unnecessary casts.
client/mysqlshow.c:
Remove now-unnecessary casts.
client/mysqlslap.c:
Remove now-unnecessary casts.
client/mysqltest.cc:
Remove now-unnecessary casts.
extra/comp_err.c:
Remove now-unnecessary casts.
extra/my_print_defaults.c:
Remove now-unnecessary casts.
Break up large strings.
extra/mysql_waitpid.c:
Remove now-unnecessary casts.
extra/perror.c:
Remove now-unnecessary casts.
extra/resolve_stack_dump.c:
Remove now-unnecessary casts.
extra/resolveip.c:
Remove now-unnecessary casts.
include/my_getopt.h:
Use a void pointer type as the opaque type to avoid problems with type
incompatibility -- GCC issues warnings when the type name is not type
compatible with a operand. As a side bonus, a explicit cast won't be
necessary anymore.
include/sslopt-longopts.h:
Remove now-unnecessary casts.
Break up large strings.
mysys/my_getopt.c:
Update opaque type and introduce a type definition for the
argument to my_getopt_register_get_addr.
server-tools/instance-manager/options.cc:
Remove now-unnecessary casts.
sql/mysqld.cc:
Remove now-unnecessary casts.
Break up large strings.
Update mysql_getopt_value prototype (the old prototype
was different from the definition anyway).
sql/sql_plugin.cc:
The type of a pointer to a function must be compatible with the
pointed-to function type, otherwise the behavior is undefined.
sql/table.cc:
The variable buf pointer to pointer to pointer to constant char
could improperly alias a incompatible type in call to fix_type_
pointers. Since this was actually dead code, it is simply removed.
sql/unireg.cc:
Remove call to get_form_pos. The code creates a new FRM file which
is always truncated and writes the form position as 0. Hence, no
need to retrieve it, we now for sure it is 0.
storage/archive/archive_reader.c:
Remove now-unnecessary casts.
storage/myisam/ft_nlq_search.c:
Read weight directly from the buffer.
storage/myisam/fulltext.h:
Add explanation about the type duality of a key buffer.
Add accessor macro to retrieve a FT float value.
storage/myisam/mi_test1.c:
Remove now-unnecessary casts.
storage/myisam/myisam_ftdump.c:
Read weight directly from the buffer.
storage/myisam/myisamchk.c:
Remove now-unnecessary casts.
storage/myisam/myisamlog.c:
A pointer to char was used to alias a pointer to pointer to
unsigned char, thus violating strict aliasing rules.
storage/myisam/myisampack.c:
Remove now-unnecessary casts.
strings/decimal.c:
Remove aliasing violation, printing the value is enough for
debugging purposes.
tests/mysql_client_test.c:
Remove now-unnecessary casts.
Problem: one with SELECT privilege on some table may dump other table
performing COM_TABLE_DUMP command due to missed check of the table name.
Fix: check the table name.
sql/sql_parse.cc:
Fix for bug #53907: Table dump command can be abused to dump arbitrary tables.
- check given table name performing COM_TABLE_DUMP command.
tests/mysql_client_test.c:
Fix for bug #53907: Table dump command can be abused to dump arbitrary tables.
- test case.
that generated multiple result sets (such as a stored procedure or a
multi-statement command) would leave the connection unusable. (Bug #42373)
A side-effect of this bug fix is to make MYSQL_INIT_COMMAND settings ignored
when connecting from within the server, but none of the existing mechanisms
for connecting from within the server use or need to set the initial command.
This is the 5.1 merge and extension of the fix.
The server was happily accepting paths in table name in all places a table
name is accepted (e.g. a SELECT). This allowed all users that have some
privilege over some database to read all tables in all databases in all
mysql server instances that the server file system has access to.
Fixed by :
1. making sure no path elements are allowed in quoted table name when
constructing the path (note that the path symbols are still valid in table names
when they're properly escaped by the server).
2. checking the #mysql50# prefixed names the same way they're checked for
path elements in mysql-5.0.
The server was not checking the supplied to COM_FIELD_LIST table name
for validity and compliance to acceptable table names standards.
Fixed by checking the table name for compliance similar to how it's
normally checked by the parser and returning an error message if
it's not compliant.
The reason for the bug is that mysqtest as well as other client tools
running in test suite (mysqlbinlog, mysqldump) will first try to connect
whatever database has created shared memory with default base name
"MySQL" and use this. (Same effect could be seen on Unix if mtr would
not care to calculate "port" and "socket" parameter).
The fix ensures that all client tools and running in mtr use unique
per-database shared memory base parameters, so there is no possibility
to clash with already installed one. We use socket name for shared memory
base (it's known to be unique). This shared-memory-base is written to the
MTR config file to the [client] and [mysqld] sections. Fix made also made
sure all client tools understand and correctly handle --shared-memory-base.
Prior to this patch it was not the case for mysqltest, mysqlbinlog and
mysql_client_test.
All new connections done from mtr scripts via connect() will by default
set shared-memory-base. And finally, there is a possibility to force
shared memory or pipe connection and overwrite shared memory/pipe base name
from within mtr scripts via optional PIPE or SHM modifier. This functionality
was manually backported from 6.0
(original patch http://lists.mysql.com/commits/74749)
client/mysql.cc:
Remove leading whitespace.
Remove extra text after #else directive.
client/mysqldump.c:
Function does not take a parameter.
mysys/array.c:
buffer is a uchar pointer.
sql/item.cc:
Assert if it should not happen.
storage/myisam/mi_check.c:
Cast to expected type. This is probably a bug, but it is
casted in a similar way in another part of the code.
storage/ndb/include/mgmapi/ndb_logevent.h:
Apply fix from cluster team.
tests/mysql_client_test.c:
Remove extraneous slash.
The problem is that the lexer could inadvertently skip over the
end of a query being parsed if it encountered a malformed multibyte
character. A specially crated query string could cause the lexer
to jump up to six bytes past the end of the query buffer. Another
problem was that the laxer could use unfiltered user input as
a signed array index for the parser maps (having upper and lower
bounds 0 and 256 respectively).
The solution is to ensure that the lexer only skips over well-formed
multibyte characters and that the index value of the parser maps
is always a unsigned value.
mysql-test/r/ctype_recoding.result:
Update test case result: ending backtick is not skipped over anymore.
sql/sql_lex.cc:
Characters being analyzed must be unsigned as they can be
used as indexes for the parser maps. Only skip over if the
string is a valid multi-byte sequence.
tests/mysql_client_test.c:
Add test case for Bug#45010
Post-merge fix: test case could fail due to a conversion of the
max_join_size value to a integer. Fixed by preserving the value
as a string for comparison purposes.
tests/mysql_client_test.c:
Preserve max_join_size value as a string instead of converting
it to a integer -- value can be larger then the type used.
unnecessarily
The problem is that libmysqlclient.so is built with THREAD
undefined, while a client compiling against the same header
files will see THREAD as defined and definitions in
my_pthread.h will be included, possibly resulting in undefined
symbols that cannot be resolved with libmysqlclient.so.
The suggested solution is to require that clients wanting to
link with libmysqlclient.so should be built with
MYSQL_CLIENT_NO_THREADS defined. This requires a documentation
change, and more details for this will be supplied if this
patch is approved.
The MYSQL_CLIENT_NO_THREADS define was renamed from
UNDEF_THREADS_HACK, to get a more suitable (less suspicious)
name for the define. (The UNDEF_THREADS_HACK is retained for
backwards compatibility, though.)
This patch is also in anticipation of WL#4958, which will
remove this problem altogether by dropping the building of
libmysqlclient.
enabled message storing into error message list
for 'drop table' command
mysql-test/r/warnings.result:
test result
mysql-test/t/warnings.test:
test case
sql/sql_table.cc:
We should skip error sending then we should return
warnings to client as some functions may send its
own errors, so we should set no_warnings_for_error= 0
only in case of warning.
The fix is to enable message storing into error message
list for 'drop table' command(only for error case).
tests/mysql_client_test.c:
test fix
without proper formatting
The problem is that a suitably crafted database identifier
supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
and thereby a denial of service. The database name is printed
to the log without using a format string, so potential
attackers can control the behavior of my_b_vprintf() by
supplying their own format string. A CREATE or DROP privilege
would be required.
This patch supplies a format string to the printing of the
database name. A test case is added to mysql_client_test.
sql/sql_parse.cc:
Added format strings.
tests/mysql_client_test.c:
Added new test case.
per-file comments:
tests/mysql_client_test.c
the test for bug 37956 isn't relevant anymore.
The query there 'select point(?,?)' doesn't produce an error.
This is a back port from 5.1 to 5.0.
Fix for BUG 20023: mysql_change_user() resets the value
of SQL_BIG_SELECTS.
The bug was that SQL_BIG_SELECTS was not properly set
in COM_CHANGE_USER.
The fix is to update SQL_BIG_SELECTS properly.
sql/sql_class.cc:
Update THD::options with the respect to SQL_BIG_SELECTS
in COM_CHANGE_USER.
tests/mysql_client_test.c:
Add a test case BUG#20023.
*with --with-charset=utf8*
Problem: wrong LONG TEXT field length is sent to a client
when multibyte server character set used.
Fix: always limit field length sent to a client to 2^32,
as we store it in 4 byte slot.
Note: mysql_client_test changed accordingly.
sql/protocol.cc:
Fix for bug#19829:make test Failed in mysql_client_test
*with --with-charset=utf8*
- limit field length sent to client to UINT_MAX32 as
it may exceeds 32 bit slot for LONG TEXT fields if
thd_charset->mbmaxlen > 1.
tests/mysql_client_test.c:
Fix for bug#19829:make test Failed in mysql_client_test
*with --with-charset=utf8*
- checking field members have in mind that field length
is limited to UINT_MAX32.
returns short string value.
Multibyte character sets were not taken into account when
calculating max_length in Item_param::convert_str_value(). As a
result, string parameters of a prepared statement could be
truncated later when calculating string length in characters by
dividing length in bytes by the charset's mbmaxlen value (e.g. in
Field_varstring::store()).
Fixed by taking charset's mbmaxlen into account when calculating
max_length in Item_param::convert_str_value().
sql/item.cc:
Multiply string's length in characters by charset's mbmaxlen when
calculating max_length.
tests/mysql_client_test.c:
Added a test case for bug #41078.
- Remove bothersome warning messages. This change focuses on the warnings
that are covered by the ignore file: support-files/compiler_warnings.supp.
- Strings are guaranteed to be max uint in length
- Remove bothersome warning messages. This change focuses on the warnings
that are covered by the ignore file: support-files/compiler_warnings.supp.
- Strings are guaranteed to be max uint in length
The problem is that the query cache stores packets containing
the server status of the time when the cached statement was run.
This might lead to a wrong transaction status in the client side
if a statement is cached during a transaction and is later served
outside a transaction context (and vice-versa).
The solution is to take into account the transaction status when
storing in and serving from the query cache.
mysql-test/r/innodb_cache.result:
Update test case result.
mysql-test/r/query_cache.result:
Add test case result for Bug#36326
mysql-test/t/query_cache.test:
Add test case for Bug#36326
sql/mysql_priv.h:
Add new flags.
sql/sql_cache.cc:
Remember the transaction and autocommit status stored in the packet.
tests/mysql_client_test.c:
Add test case for Bug#36326
Bug#37671 crash on prepared statement + cursor + geometry + too many open files!
if mysql_execute_command() returns error then free materialized_cursor object.
is_rnd_inited is added to satisfy rnd_end() assertion
(handler may be uninitialized in some cases)
sql/sql_cursor.cc:
if mysql_execute_command() returns error then free materialized_cursor object.
is_rnd_inited is added to satisfy rnd_end() assertion
(handler may be uninitialized in some cases)
sql/sql_select.cc:
added result check
tests/mysql_client_test.c:
test case
