> ------------------------------------------------------------
> revno: 3392.1.1
> revision-id: gshchepa@mysql.com-20100521184732-0jvpzinv0uwyvr2d
> parent: sven.sandberg@sun.com-20100520153801-yyhujm1qqa4eyfn0
> committer: Gleb Shchepa <gshchepa@mysql.com>
> branch nick: 53804-5.1
> timestamp: Fri 2010-05-21 22:47:32 +0400
> message:
> Bug #53804: serious flaws in the alter database .. upgrade
> data directory name command
>
> The check_db_name function has been modified to validate tails of
> #mysql50#-prefixed database names for compliance with MySQL 5.0
> database name encoding rules (the check_table_name function call
> has been reused).
> ------------------------------------------------------------
> revno: 3386
> revision-id: sergey.glukhov@sun.com-20100518082821-yajhvbv1ghmlpu1n
> parent: aelkin@mysql.com-20100516170332-x8priwrdjwolc065
> committer: Sergey Glukhov <Sergey.Glukhov@sun.com>
> branch nick: mysql-5.1-bugteam
> timestamp: Tue 2010-05-18 13:28:21 +0500
> message:
> Bug#48729 SELECT ... FROM INFORMATION_SCHEMA.ROUTINES causes memory to grow
> Analysis showed that in case of accessing I_S table
> ROUTINES we perform unnecessary allocations
> with get_field() function for every processed row that
> in their turn causes significant memory growth.
> the fix is to avoid use of get_field().
> ------------------------------------------------------------
> revno: 3367 [merge]
> revision-id: joro@sun.com-20100504140328-srxf3c088j2twnq6
> parent: kristofer.pettersson@sun.com-20100503172109-f9hracq5pqsaomb1
> parent: joro@sun.com-20100503151651-nakknn8amrapmdp7
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B53371-5.1-bugteam
> timestamp: Tue 2010-05-04 17:03:28 +0300
> message:
> Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
>
> This is the 5.1 merge and extension of the fix.
> The server was happily accepting paths in table name in all places a table
> name is accepted (e.g. a SELECT). This allowed all users that have some
> privilege over some database to read all tables in all databases in all
> mysql server instances that the server file system has access to.
> Fixed by :
> 1. making sure no path elements are allowed in quoted table name when
> constructing the path (note that the path symbols are still valid in table names
> when they're properly escaped by the server).
> 2. checking the #mysql50# prefixed names the same way they're checked for
> path elements in mysql-5.0.
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.
> ------------------------------------------------------------
> revno: 3351.41.1
> revision-id: alexey.kopytov@sun.com-20100430111048-jdls6ofn4kkmpt09
> parent: sergey.glukhov@sun.com-20100329134249-03wyhzp5k92dzhcb
> committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
> branch nick: my51-bug48419
> timestamp: Fri 2010-04-30 15:10:48 +0400
> message:
> Bug #48419: another explain crash..
>
> WHERE predicates containing references to empty tables in a
> subquery were handled incorrectly by the optimizer when
> executing EXPLAIN. As a result, the optimizer could try to
> evaluate such predicates rather than just stop with
> "Impossible WHERE noticed after reading const tables" as
> it would do in a non-subquery case. This led to valgrind
> errors and crashes.
>
> Fixed the code checking the above condition so that subqueries
> are not excluded and hence are handled in the same way as top
> level SELECTs.
> ------------------------------------------------------------
> revno: 1810.3987.14
> revision-id: davi.arnaut@sun.com-20100429132816-ictyul6d75itek22
> parent: ramil@mysql.com-20100429044232-f0pkyx8fnpszf142
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: 50974-5.0
> timestamp: Thu 2010-04-29 10:28:16 -0300
> message:
> Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
>
> The server could be tricked to read packets indefinitely if it
> received a packet larger than the maximum size of one packet.
> This problem is aggravated by the fact that it can be triggered
> before authentication.
>
> The solution is to no skip big packets for non-authenticated
> sessions. If a big packet is sent before a session is authen-
> ticated, a error is returned and the connection is closed.
> ------------------------------------------------------------
> revno: 3363 [merge]
> revision-id: davi.arnaut@sun.com-20100429231819-i3anwzrdasjmezvt
> parent: davi.arnaut@sun.com-20100401131522-895y8uzvv8ag44gs
> parent: davi.arnaut@sun.com-20100429132816-ictyul6d75itek22
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: mysql-5.1-bugteam
> timestamp: Thu 2010-04-29 20:18:19 -0300
> message:
> Manual merge.
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.
> ------------------------------------------------------------
> revno: 1810.3987.13
> revision-id: ramil@mysql.com-20100429044232-f0pkyx8fnpszf142
> parent: alexey.kopytov@sun.com-20100426200600-op06qy98llzpzgl1
> committer: Ramil Kalimullin <ramil@mysql.com>
> branch nick: b53237-5.0-bugteam
> timestamp: Thu 2010-04-29 08:42:32 +0400
> message:
> Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing
>
> Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
> SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
> checked for sanity. By sending long data for the table a buffer is overflown, which can
> be used deliberately to include code that harms".
>
> Fix: check incoming data length.
The patch did not apply cleanly:
- Line numbers are completely off, roughly it is 2030 -> 1313
- What is called "pend" in the patch, is "arg_end" in the source.
> ------------------------------------------------------------
> revno: 3351.14.47
> revision-id: marko.makela@oracle.com-20100421095033-0acvzxb8um8cms0a
> parent: marko.makela@oracle.com-20100421094032-ir4glqk46qvg2ywn
> committer: Marko Mäkelä <marko.makela@oracle.com>
> branch nick: 5.1-innodb
> timestamp: Wed 2010-04-21 12:50:33 +0300
> message:
> dtuple_convert_big_rec(): Store locally any fields whose maximum length
> is less than 256 bytes. (Bug #52745)
> Add related comments and debug assertions to the "offsets"
> functions in rem0rec.c.
> Approved by Sunny Bains
> ------------------------------------------------------------
> revno: 3351.14.50
> revision-id: marko.makela@oracle.com-20100421185359-8qaxoa2yyrpzwdd7
> parent: marko.makela@oracle.com-20100421102723-0i80uezbyu0ekj5d
> committer: Marko Mäkelä <marko.makela@oracle.com>
> branch nick: 5.1-innodb
> timestamp: Wed 2010-04-21 21:53:59 +0300
> message:
> btr_page_split_and_insert(): Avoid an infinite loop. (Bug #52964)
>
> btr_page_tuple_smaller(): New function, refactored from
> btr_page_split_and_insert().
>
> btr_page_get_split_rec(): Renamed from btr_page_get_sure_split_rec().
> Note that a NULL return may mean that the tuple is to be inserted into
> either the lower or upper page, to be determined by btr_page_tuple_smaller().
>
> btr_page_split_and_insert(): When btr_page_get_split_rec() returns NULL,
> invoke btr_page_tuple_smaller() to determine which half-page the tuple
> belongs to.
>
> Reviewed by Sunny Bains
> ------------------------------------------------------------
> revno: 3362
> revision-id: davi.arnaut@sun.com-20100401131522-895y8uzvv8ag44gs
> parent: ramil@mysql.com-20100429045409-r7r5lcyiruis15v7
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: 50755-5.1
> timestamp: Thu 2010-04-01 10:15:22 -0300
> message:
> Bug#50755: Crash if stored routine def contains version comments
>
> The problem was that a syntactically invalid trigger could cause
> the server to crash when trying to list triggers. The crash would
> happen due to a mishap in the backup/restore procedure that should
> protect parser items which are not associated with the trigger. The
> backup/restore is used to isolate the parse tree (and context) of
> a statement from the load (and parsing) of a trigger. In this case,
> a error during the parsing of a trigger could cause the improper
> backup/restore sequence.
>
> The solution is to properly restore the original statement context
> before the parser is exited due to syntax errors in the trigger body.
Incorrect handling of NULL arguments could lead to a crash on
the IN or CASE operations when either NULL arguments were
passed explicitly as arguments (IN) or implicitly generated by
the WITH ROLLUP modifier (both IN and CASE).
Item_func_case::find_item() assumed all necessary comparators
to be instantiated in fix_length_and_dec(). However, in the
presence of WITH ROLLUP modifier, arguments could be
substituted with an Item_null leading to an "unexpected"
STRING_RESULT comparator being invoked.
In addition to the problem identical to the above,
Item_func_in::val_int() could crash even with explicitly passed
NULL arguments due to an optimization in fix_length_and_dec()
leading to NULL arguments being ignored during comparators
creation.
when renaming tables
Allocate the table name using ut_malloc() instead of table->heap because
the latter cannot be freed.
Adjust dict_sys->size calculations all over the code.
Change dict_table_t::name from const char* to char* because we need to
ut_malloc()/ut_free() it.
Reviewed by: Inaam, Marko, Heikki (rb://384)
Approved by: Heikki (rb://384)
ha_innobase::index_read(), ha_innobase::records_in_range(): Check that
the index is useable before invoking row_sel_convert_mysql_key_to_innobase().
This fix is based on a suggestion by Yasufumi Kinoshita.
In process of record search it is not taken into account
that inital quick->file->ref value could be inapplicable
to range interval. After proper row is found this value is
stored into the record buffer and later the record is
filtered out at condition evaluation stage.
The fix is store a refernce of found row to the handler ref field.
dict_check_tablespaces_and_store_max_id(): Initialize max_space_id
and fil_system->max_assigned_id from DICT_HDR_MAX_SPACE_ID.
fil_space_create(): Suppress the warning unless !recv_recovery_on
(do not complain while applying the redo log).
Problem: a flaw (derefencing a NULL pointer) in the LIKE optimization
code may lead to a server crash in some rare cases.
Fix: check the pointer before its dereferencing.
mysql_client_binlog_statement
Problem: server may read from unassigned memory performing
"wrong" BINLOG queries.
Fix: never read from unassigned memory.
line exceeds the limit
The number and/or names of our files for the main test suite
(contents of "mysql-test/t/") now exceeds the command line
length limit on AIX.
Solve the problem by using separate "cp" commands for the
various file name extensions.
This is the fix for 5.1, where only the behaviour on upgrade is changed:
If the server was stopped when the upgrade begins, we assume the
administrator is taking manual action, so we do not start the (new)
server at the end of the upgrade.
We still install the start/stop script, so it will be started on reboot.
