revno: 2861
committer: Georgi Kodinov <joro@sun.com>
branch nick: B53371-5.0-bugteam
timestamp: Mon 2010-05-03 18:16:51 +0300
message:
Bug #53371: COM_FIELD_LIST can be abused to bypass table level grants.
The server was not checking the supplied to COM_FIELD_LIST table name
for validity and compliance to acceptable table names standards.
Fixed by checking the table name for compliance similar to how it's
normally checked by the parser and returning an error message if
it's not compliant.
The server was not checking the supplied to COM_FIELD_LIST table name
for validity and compliance to acceptable table names standards.
Fixed by checking the table name for compliance similar to how it's
normally checked by the parser and returning an error message if
it's not compliant.
The server could be tricked to read packets indefinitely if it
received a packet larger than the maximum size of one packet.
This problem is aggravated by the fact that it can be triggered
before authentication.
The solution is to no skip big packets for non-authenticated
sessions. If a big packet is sent before a session is authen-
ticated, a error is returned and the connection is closed.
include/mysql_com.h:
Add skip flag. Only used in server builds.
sql/net_serv.cc:
Control whether big packets can be skipped.
Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
checked for sanity. By sending long data for the table a buffer is overflown, which can
be used deliberately to include code that harms".
Fix: check incoming data length.
sql/sql_parse.cc:
Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing
- check incoming mysql_list_fields() table name arg length.
The problem was in an incorrect debug assertion. The expression
used in the failing assertion states that when finding
references matching ORDER BY expressions, there can be only one
reference to a single table. But that does not make any sense,
all test cases for this bug are valid examples with multiple
identical WHERE expressions referencing the same table which
are also present in the ORDER BY list.
Fixed by removing the failing assertion. We also have to take
care of the 'found' counter so that we count multiple
references only once. We rely on this fact later in
eq_ref_table().
mysql-test/r/join.result:
Added a test case for bug #50335.
mysql-test/t/join.test:
Added a test case for bug #50335.
sql/sql_select.cc:
Removing the assertion in eq_ref_table() as it does not make
any sense. We also have to take care of the 'found' counter so
that we count multiple references only once. We rely on this
fact later in eq_ref_table().
function on windows
When making sure that the directory path ends up with a
slash/backslash we need to check for the correct length of
the buffer and trim at the appropriate location so we don't
write past the end of the buffer.
The crash is the result of an attempt made by JOIN::optimize to evaluate
the WHERE condition when no records have been actually read.
The fix is to remove erroneous 'outer_join' variable check.
mysql-test/r/join.result:
test result
mysql-test/t/join.test:
test case
sql/sql_select.cc:
removed erroneous 'outer_join' variable check.
The crash happens because greedy_serach
can not determine best plan due to
wrong inner table dependences. These
dependences affects join table sorting
which performs before greedy_search starting.
In our case table which has real 'no dependences'
should be put on top of the list but it does not
happen as inner tables have no dependences as well.
The fix is to exclude RAND_TABLE_BIT mask from
condition which checks if table dependences
should be updated.
mysql-test/r/join.result:
test result
mysql-test/t/join.test:
test case
sql/sql_select.cc:
RAND_TABLE_BIT mask should not be counted as it
prevents update of inner table dependences.
For example it might happen if RAND() function
is used in JOIN ON clause.
SET autocommit=1 while XA transaction is active may
cause various side effects, including memory corruption
and server crash.
The problem is that SET autocommit=1 and further queries
attempt to commit local transaction, whereas XA transaction
is still active.
As local and XA transactions are mutually exclusive, this
patch forbids enabling autocommit mode while XA transaction
is active.
mysql-test/r/xa.result:
A test case for BUG#51342.
mysql-test/t/xa.test:
A test case for BUG#51342.
sql/set_var.cc:
Forbid enabling autocommit mode while XA transaction is
active.
Spatial indexes were not checking for out-of-record condition in
the handler next command when the previous command didn't found
rows.
Fixed by making the rtree index to check for end of rows condition
before re-using the key from the previous search.
Fixed another crash if the tree has changed since the last search.
Added a test case for the other error.
If an outer query is broken, a subquery might not even get set up.
EXPLAIN EXTENDED did not expect this and merrily tried to de-ref all
of the half-setup info.
We now catch this case and print as much as we have, as it doesn't cost us
anything (doesn't make regular execution slower).
backport from 5.1
mysql-test/r/explain.result:
Show that EXPLAIN EXTENDED with subquery and illegal out query doesn't crash.
Show also that SHOW WARNINGS will render an additional Note in the hope of
being, well, helpful.
mysql-test/t/explain.test:
If we have only half a query for EXPLAIN EXTENDED to print (i.e.,
incomplete subquery info as outer query is illegal), we should
provide the user with as much info as we easily can if they ask
for it. What we should not do is crash when they come asking for
help, that violates etiquette in some countries.
sql/item_subselect.cc:
If the sub-query's actually set up, print it. Otherwise, elide.
Fixed crash caused by x64 int/long incompatibility introduced
in Bug #29125.
sql/item_timefunc.cc:
Fixed crash caused by int/long incompatibility on x64 systems.
Changed two "uint" casts and a "long" declartion to "int" in order to
ensure that the integer sign is preserved.
See Bug #48739 for details.
When EXPLAIN EXTENDED tries to print column names, it checks whether the
referenced table is CONST (in which case, the column's value rather than
its name will be printed). If no proper table is reference (i.e. because
a derived table was used that has since gone out of scope), this will fail
spectacularly.
This ports an equivalent of the fix for Bug 43354.
mysql-test/r/func_gconcat.result:
Show that EXPLAIN EXTENDED on a GROUP_CONCAT() on a derived table
no longer crashes the server.
mysql-test/t/func_gconcat.test:
Show that EXPLAIN EXTENDED on a GROUP_CONCAT() on a derived table
no longer crashes the server.
sql/item_sum.cc:
Do not de-ref what cannot be, that is, temp-tables that have gone away.
This is of questionable utility anyway, since our deref has the sole
purpose of checking whether the table is const (in which case, we'll
substitute the column with its value in EXPLAIN EXTENDED - that is all).
in message printed at end of configure
New text for the success message of "configure".
configure.in:
The message must be changed to drop the "www.mysql.com" URL.
> ------------------------------------------------------------
> revno: 2818.1.39
> revision-id: gshchepa@mysql.com-20091201102444-yw166t3audrojo9s
> parent: joro@sun.com-20091127160731-6h2fahbh4409i841
> committer: Gleb Shchepa <gshchepa@mysql.com>
> branch nick: mysql-5.0-bugteam
> timestamp: Tue 2009-12-01 14:24:44 +0400
> message:
> Bug #38883 (reopened): thd_security_context is not thread safe, crashes?
>
> The bug 38816 changed the lock that protects THD::query from
> LOCK_thread_count to LOCK_thd_data, but didn't update the associated
> InnoDB functions.
>
> 1. The innobase_mysql_prepare_print_arbitrary_thd and the
> innobase_mysql_end_print_arbitrary_thd InnoDB functions have been
> removed, since now we have a per-thread mutex: now we don't need to wrap
> several inter-thread access tries to THD::query with a single global
> LOCK_thread_count lock, so we can simplify the code.
>
> 2. The innobase_mysql_print_thd function has been modified to lock
> LOCK_thd_data in direct way.
> ------------------------------------------------------------
> revno: 2818.1.38
> revision-id: joro@sun.com-20091127160731-6h2fahbh4409i841
> parent: joro@sun.com-20091127143622-bqfsmhhr2pqodsm2
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: fix-5.0-bugteam
> timestamp: Fri 2009-11-27 18:07:31 +0200
> message:
> Addendum to bug #48872: disable output in the test case because errors are
> dependent on the case mode
> ------------------------------------------------------------
> revno: 2818.1.35
> revision-id: joro@sun.com-20091127095944-autr58itccge4z9l
> parent: satya.bn@sun.com-20091125095925-871384fcnwwa2yqt
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B48872-5.0-bugteam
> timestamp: Fri 2009-11-27 11:59:44 +0200
> message:
> Bug #48872 : Privileges for stored functions ignored if function name
> is mixed case
>
> Transcode the procedure name to lowercase when searching for it in the
> hash. This is the missing part of the fix for bug #41049.
> ------------------------------------------------------------
> revno: 2818.1.29
> revision-id: joro@sun.com-20091118152410-j4tv22vf9xkb6sdz
> parent: kent.boortz@sun.com-20091117164924-rscth12t9a2qog1b
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: test-5.0-bugteam
> timestamp: Wed 2009-11-18 17:24:10 +0200
> message:
> Bug#48864: MySQL fails to compile on 64 bit Fedora 12
>
> Fixed 2 errors in comp_err executable :
> 1. Wrong (off by 1) length passed to my_checksum()
> 2. strmov() was used on overlapping strings. This is
> not legal according to the docs in stpcpy(). Used
> the overlap safe memmove() instead.
> ------------------------------------------------------------
> revno: 2818.1.26
> revision-id: joro@sun.com-20091109140946-07wao5od7l1vn4x1
> parent: joro@sun.com-20091110082141-ldr8p6s1joczve2j
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B48458-5.0-bugteam
> timestamp: Mon 2009-11-09 16:09:46 +0200
> message:
> Bug #48458: simple query tries to allocate enormous amount of
> memory
>
> The server was doing a bad class typecast causing setting of
> wrong value for the maximum number of items in an internal
> structure used in equality propagation.
> Fixed by not doing the wrong typecast and asserting the type
> of the Item where it should be done.
> ------------------------------------------------------------
> revno: 2818.1.19
> revision-id: kostja@sun.com-20091103165854-7di545xruez8w207
> parent: li-bing.song@sun.com-20091103090041-zj7nedx6ok5jgges
> committer: Konstantin Osipov <kostja@sun.com>
> branch nick: 5.0-41756
> timestamp: Tue 2009-11-03 19:58:54 +0300
> message:
> A fix and a test case for
> Bug#41756 "Strange error messages about locks from InnoDB".
>
> In JT_EQ_REF (join_read_key()) access method,
> don't try to unlock rows in the handler, unless certain that
> a) they were locked
> b) they are not used.
>
> Unlocking of rows is done by the logic of the nested join loop,
> and is unaware of the possible caching that the access method may
> have. This could lead to double unlocking, when a row
> was unlocked first after reading into the cache, and then
> when taken from cache, as well as to unlocking of rows which
> were actually used (but taken from cache).
>
> Delegate part of the unlocking logic to the access method,
> and in JT_EQ_REF count how many times a record was actually
> used in the join. Unlock it only if it's usage count is 0.
>
> Implemented review comments.
> ------------------------------------------------------------
> revno: 2818.1.18
> revision-id: li-bing.song@sun.com-20091103090041-zj7nedx6ok5jgges
> parent: davi.arnaut@sun.com-20091102201021-1brn7cjb1kvqg9gr
> committer: <Li-Bing.Song@sun.com>
> branch nick: mysql-5.0-bugteam
> timestamp: Tue 2009-11-03 17:00:41 +0800
> message:
> BUG#48216 Replication fails on all slaves after upgrade to 5.0.86 on master
>
> When a sessione is closed, all temporary tables of the session are automatically
> dropped and are binlogged. But it will be binlogged with wrong database names when
> the length of the temporary tables' database names are greater than the
> length of the current database name or the current database is not set.
>
> Query_log_event's db_len is forgot to set when Query_log_event's db is set.
> This patch wrote code to set db_len immediately after db has set.
> ------------------------------------------------------------
> revno: 2818.4.1
> revision-id: alexey.kopytov@sun.com-20091030155453-0vlfwki805h9os62
> parent: joerg@mysql.com-20091016122941-rf6z0keqvmlgjfto
> committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
> branch nick: my50-bug48131
> timestamp: Fri 2009-10-30 18:54:53 +0300
> message:
> Bug #48131: crash group by with rollup, distinct, filesort,
> with temporary tables
>
> There were two problems the test case from this bug was
> triggering:
>
> 1. JOIN::rollup_init() was supposed to wrap all constant Items
> into another object for queries with the WITH ROLLUP modifier
> to ensure they are never considered as constants and therefore
> are written into temporary tables if the optimizer chooses to
> employ them for DISTINCT/GROUP BY handling.
>
> However, JOIN::rollup_init() was called before
> make_join_statistics(), so Items corresponding to fields in
> const tables could not be handled as intended, which was
> causing all kinds of problems later in the query execution. In
> particular, create_tmp_table() assumed all constant items
> except "hidden" ones to be removed earlier by remove_const()
> which led to improperly initialized Field objects for the
> temporary table being created. This is what was causing crashes
> and valgrind errors in storage engines.
>
> 2. Even when the above problem had been fixed, the query from
> the test case produced incorrect results due to some
> DISTINCT/GROUP BY optimizations being performed by the
> optimizer that are inapplicable in the WITH ROLLUP case.
>
> Fixed by disabling inapplicable DISTINCT/GROUP BY optimizations
> when the WITH ROLLUP modifier is present, and splitting the
> const-wrapping part of JOIN::rollup_init() into a separate
> method which is now invoked after make_join_statistics() when
> the const tables are already known.
> ------------------------------------------------------------
> revno: 2818.1.13
> revision-id: joro@sun.com-20091030131543-2b23fnqckgbzvete
> parent: joro@sun.com-20091030094044-quadg0bwjy7cwqzw
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B48291-5.0-bugteam
> timestamp: Fri 2009-10-30 15:15:43 +0200
> message:
> Bug #48291 : crash with row() operator,select into @var, and
> subquery returning multiple rows
>
> Error handling was missing when handling subqueires in WHERE
> and when assigning a SELECT result to a @variable.
> This caused crash(es).
>
> Fixed by adding error handling code to both the WHERE
> condition evaluation and to assignment to an @variable.
> ------------------------------------------------------------
> revno: 2818.1.12
> revision-id: joro@sun.com-20091030094044-quadg0bwjy7cwqzw
> parent: joro@sun.com-20091029152429-ks55fhrp4lhknyij
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B48293-5.0-bugteam
> timestamp: Fri 2009-10-30 11:40:44 +0200
> message:
> Bug #48293: crash with procedure analyse, view with > 10 columns,
> having clause...
>
> The fix for bug 46184 was not very complete. It was not covering
> views using temporary tables and multiple tables in a FROM clause.
> Fixed by reverting the fix for 46184 and making a more general
> check that is checking at the right execution stage and for all
> of the non-supported cases.
> Now PROCEDURE ANALYZE on non-top level SELECT is also forbidden.
> Updated the analyse.test and subselect.test accordingly.
> ------------------------------------------------------------
> revno: 2818.1.6
> revision-id: joro@sun.com-20091021084345-iki6z0uceieoupey
> parent: ramil@mysql.com-20091023112648-gie6o3odj57cxh1e
> committer: Georgi Kodinov <joro@sun.com>
> branch nick: B47780-5.0-bugteam
> timestamp: Wed 2009-10-21 11:43:45 +0300
> message:
> Bug #47780: crash when comparing GIS items from subquery
>
> If the first argument to GeomFromWKB function is a geometry
> field then the function just returns its value.
> However in doing so it's not preserving first argument's
> null_value flag and this causes unexpected null value to
> be returned to the calling function.
>
> Fixed by updating the null_value of the GeomFromWKB function
> in such cases (and all other cases that return a NULL e.g.
> because of not enough memory for the return buffer).
> ------------------------------------------------------------
> revno: 2818.1.5
> revision-id: ramil@mysql.com-20091023112648-gie6o3odj57cxh1e
> parent: ramil@mysql.com-20091021090408-208mvwwrcroi2j8c
> committer: Ramil Kalimullin <ramil@mysql.com>
> branch nick: b48258-5.0-bugteam
> timestamp: Fri 2009-10-23 16:26:48 +0500
> message:
> Fix for bug#48258: Assertion failed when using a spatial index
>
> Problem: involving a spatial index for "non-spatial" queries
> (that don't containt MBRXXX() functions) may lead to failed assert.
>
> Fix: don't use spatial indexes in such cases.
> ------------------------------------------------------------
> revno: 2818.1.4
> revision-id: ramil@mysql.com-20091021090408-208mvwwrcroi2j8c
> parent: azundris@mysql.com-20091021033856-ydodp4q42o58e7ka
> committer: Ramil Kalimullin <ramil@mysql.com>
> branch nick: b47019-5.0-bugteam
> timestamp: Wed 2009-10-21 14:04:08 +0500
> message:
> Fix for bug#47019: Assertion failed: 0, file .\rt_mbr.c,
> line 138 when forcing a spatial index
>
> Problem: "Spatial indexes can be involved in the search
> for queries that use a function such as MBRContains()
> or MBRWithin() in the WHERE clause".
> Using spatial indexes for JOINs with =, <=> etc.
> predicates is incorrect.
>
> Fix: disable spatial indexes for such queries.
