When running mysqlbinlog on a 64-bit machine with a corrupt relay log,
it causes mysqlbinlog to crash. In this case, the crash is caused
because a request for 18446744073709534806U bytes is issued, which
apparantly can be served on a 64-bit machine (speculatively, I assume)
but this causes the memcpy() issued later to copy the data to segfault.
The request for the number of bytes is caused by a computation
of data_len - server_vars_len where server_vars_len is corrupt in such
a sense that it is > data_len. This causes a wrap-around, with the
the data_len given above.
This patch adds a check that if server_vars_len is greater than
data_len before the substraction, and aborts reading the event in
that case marking the event as invalid. It also adds checks to see
that reading the server variables does not go outside the bounds
of the available space, giving a limited amount of integrity check.
commit is specific for 5.0 to eliminated non-deterministic tests.
Those tests run only in 5.1 env where there is a necessary devices such
as processlist table of info_schema.
Since bug@20166, which replaced the binlog file name generating to base
on pidfile_name instead of the previous glob_hostname, the binlog file
name suddenly started to be stored solely in the absolute path format,
including a case when --log-bin option meant a relative path.
What's more serious, the path for binlog file can lead unrequestedly
to pid-file directory so that after any proper fix for this bug
there might be similar to the bug report consequences for one who
upgrades from post-fix-bug@20166-pre-fix-bug@28597 to post-fix-bug@28597.
Fixed with preserving`pidfile_name' (intr.by bug@20166) but stripping
off its directory part. This restores the original logics of storing
the names in compatible with --log-bin option format and with the
requirement for --log-bin ralative path to corresond to the data directory.
Side effects for this fix:
effective fixing bug@27070, refining its test;
ensuring no overrun for buff can happen anymore (Bug#31836
insufficient space reserved for the suffix of relay log file name);
bug#31837 --remove_file $MYSQLTEST_VARDIR/tmp/bug14157.sql missed
in rpl_temporary.test;
fixes Bug@28603 Invalid log-bin default location;
The fix for bug 31148 is not correct. It does not
have a relation to the problem described in this bug.
And removing the fix will not make the bug to re-appear.
Fixed the bug #31974 by removing the fix for bug 31148
and adding a test case.
error evaluating WHERE"
DELETE with a subquery in WHERE clause would sometimes ignore subquery
evaluation error and proceed with deletion.
The fix is to check for an error after evaluation of the WHERE clause
in DELETE.
Addressed review comments.
If a stored function that contains a drop temporary table statement
is invoked by a create temporary table of the same name may cause
a server crash. The problem is that when dropping a table no check
is done to ensure that table is not being used by some outer query
(or outer statement), potentially leaving the outer query with a
reference to a stale (freed) table.
The solution is when dropping a temporary table, always check if
the table is being used by some outer statement as a temporary
table can be dropped inside stored procedures.
The check is performed by looking at the TABLE::query_id value for
temporary tables. To simplify this check and to solve a bug related
to handling of temporary tables in prelocked mode, this patch changes
the way in which this member is used to track the fact that table is
used/unused. Now we ensure that TABLE::query_id is zero for unused
temporary tables (which means that all temporary tables which were
used by a statement should be marked as free for reuse after it's
execution has been completed).
during udf initialization. The bug is spotted while working on Bug 12713.
If a user-defined function was used in a SELECT statement, and an
error would occur during UDF initialization, this error would not terminate
execution of the SELECT, but rather would be converted to a warning.
The fix is to use a stack buffer to store the message from udf_init instead
of private my_error() buffer.
SHOW PROCESSLIST.
The problem was a race condition: if the Event Scheduler was not
quick enough, the following scenario happens:
- The Event Scheduler picks up the created event;
- The event is executed;
- event_scheduler_thread->proc_info is set to NULL;
- The client issues SELECT FROM I_S.
The fix is to wait for the Event Scheduler to reach 'Waiting
for next activation' state.
The SET PASSWORD statement is non-transactional (no explicit transaction
boundaries) in nature and hence is forbidden inside stored functions and
triggers, but it weren't being effectively forbidden.
The implemented fix is to issue a implicit commit with every SET PASSWORD
statement, effectively prohibiting these statements in stored functions
and triggers.
Query_log_event::error_code
A query can perform completely having the local var error of mysql_$query
zero, where $query in insert, update, delete, load,
and be binlogged with error_code e.g KILLED_QUERY while there is no
reason do to so.
That can happen because Query_log_event consults thd->killed flag to
evaluate error_code.
Fixed with implementing a scheme suggested and partly implemented at
time of bug@22725 work-on. error_status is cached immediatly after the
control leaves the main rows-loop and that instance always corresponds
to `error' the local of mysql_$query functions. The cached value
is passed to Query_log_event constructor, not the default thd->killed
which can be changed in between of the caching and the constructing.
Inserting Data.
The problem was that under some circumstances Field class was not
properly initialized before calling create_length_to_internal_length()
function, which led to assert failure.
The fix is to do the proper initialization.
The user-visible problem was that under some circumstances
CREATE TABLE ... SELECT statement crashed the server or led
to wrong error message (wrong results).
