Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
checked for sanity. By sending long data for the table a buffer is overflown, which can
be used deliberately to include code that harms".
Fix: check incoming data length.
sql/sql_parse.cc:
Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing
- check incoming mysql_list_fields() table name arg length.
This is branches/zip@r6032 in SVN and _is part_ of
revid:svn-v4:16c675df-0fcb-4bc9-8058-dcc011a37293:branches/zip:6113
in BZR.
This is being reverted because now the code is serialized directly on
index->stat_n_diff_key_vals[] as the fix for
Bug#53046 dict_update_statistics_low can still be run concurrently on same table
goes.
on same table
Protect dict_index_t::stat_n_diff_key_vals[] with an array of
mutexes.
Testing: tested all code paths under UNIV_SYNC_DEBUG
for the one in dict_print() one has to enable the InnoDB table monitor:
CREATE TABLE innodb_table_monitor (a int) ENGINE=INNODB;
------------------------------------------------------------------------
r6103 | marko | 2009-10-26 15:46:18 +0200 (Mon, 26 Oct 2009) | 4 lines
Changed paths:
M /branches/zip/row/row0ins.c
branches/zip: row_ins_alloc_sys_fields(): Zero out the system columns
DB_TRX_ID, DB_ROLL_PTR and DB_ROW_ID, in order to avoid harmless
Valgrind warnings about uninitialized data. (The warnings were
harmless, because the fields would be initialized at a later stage.)
------------------------------------------------------------------------
Extract part of innodb.innodb into innodb.innodb_misc1
This is needed in order to be able to more easily debug this test,
under valgrind, it is too huge.
The problem was in an incorrect debug assertion. The expression
used in the failing assertion states that when finding
references matching ORDER BY expressions, there can be only one
reference to a single table. But that does not make any sense,
all test cases for this bug are valid examples with multiple
identical WHERE expressions referencing the same table which
are also present in the ORDER BY list.
Fixed by removing the failing assertion. We also have to take
care of the 'found' counter so that we count multiple
references only once. We rely on this fact later in
eq_ref_table().
mysql-test/r/join.result:
Added a test case for bug #50335.
mysql-test/t/join.test:
Added a test case for bug #50335.
sql/sql_select.cc:
Removing the assertion in eq_ref_table() as it does not make
any sense. We also have to take care of the 'found' counter so
that we count multiple references only once. We rely on this
fact later in eq_ref_table().
When row_merge_drop_temp_indexes() was reworked to drop the indexes
via the data dictionary cache, the code was broken because it would
read the index name from the wrong field.
btr_page_tuple_smaller(): New function, refactored from
btr_page_split_and_insert().
btr_page_get_split_rec(): Renamed from btr_page_get_sure_split_rec().
Note that a NULL return may mean that the tuple is to be inserted into
either the lower or upper page, to be determined by btr_page_tuple_smaller().
btr_page_split_and_insert(): When btr_page_get_split_rec() returns NULL,
invoke btr_page_tuple_smaller() to determine which half-page the tuple
belongs to.
Reviewed by Sunny Bains
of sync
In RBR, sometimes the table->s->last_null_bit_pos can be zero. This
has impact at the slave when it compares records fetched from the
storage engine against records in the binary log event. If
last_null_bit_pos is zero the slave, while comparing in
log_event.cc:record_compare function, would set all bits in the last
null_byte to 1 (assumed all 8 were unused) . Thence it would loose the
ability to distinguish records that were similar in contents except
for the fact that some field was null in one record, but not in the
other. Ultimately this would cause wrong matches, and in the specific
case depicted in the bug report the same record would be updated
twice, resulting in a lost update.
Additionally, in the record_compare function the slave was setting the
X bit unconditionally. There are cases that the X bit does not exist
in the record header. This could also lead to wrong matches between
records.
We fix both by conditionally resetting the bits: (i) unused null_bits
are set if last_null_bit_pos > 0; (ii) X bit is set if
HA_OPTION_PACK_RECORD is in use.
mysql-test/extra/rpl_tests/rpl_record_compare.test:
Shared part of the test case for MyISAM and InnoDB.
mysql-test/suite/rpl/t/rpl_row_rec_comp_innodb.test:
InnoDB test case.
mysql-test/suite/rpl/t/rpl_row_rec_comp_myisam.test:
MyISAM test case. Added also coverage for Field_bits case.
sql/log_event.cc:
Deployed conditional setting of unused bits at record_compare.
sql/log_event_old.cc:
Same change as in log_event.cc.
Correcting a patch misstake. The converted file path is placed in 'buff' not in opt_secure_file_priv.
mysql-test/r/loaddata.result:
* Updated test case; Since secure_file_priv now is normalized the previous values are changed.
sql/mysqld.cc:
* Fixed patch misstake
The server variable opt_secure_file_priv wasn't
normalized properly and caused the operations
LOAD DATA INFILE .. INTO TABLE ..
and
SELECT load_file(..)
to do different interpretations of the
--secure-file-priv option.
The patch moves code to the server initialization
routines so that the path always is normalized
once and only once.
It was also intended that setting the option
to an empty string should be equal to
lifting all previously set restrictions. This
is also fixed by this patch.
sql/mysqld.cc:
* If --secure_file_option is an empty string then the option variable
should be unset.
* opt_secure_file_option should be normalized once when the server starts.
sql/sql_load.cc:
* moved variable normalization code to fix_paths()
Potential deadlock situation involving LOCK_plugin,
LOCK_global_system_variables and LOCK_status.
This patch backports the fix from next-mr, unlocking
LOCK_plugin before calling plugin->init() and
add_status_vars().
Arg_comparator initializes 'comparators' array in case of
ROW comparison and does not free this array on destruction.
It leads to memory leaks.
The fix:
-added Arg_comparator::cleanup() method which frees
'comparators' array.
-added Item_bool_func2::cleanup() method which calls
Arg_comparator::cleanup() method
mysql-test/r/ps.result:
test case
mysql-test/r/row.result:
test case
mysql-test/t/ps.test:
test case
mysql-test/t/row.test:
test case
sql/item_cmpfunc.h:
-added Arg_comparator::cleanup() method which frees
'comparators' array.
-added Item_bool_func2::cleanup() method which calls
Arg_comparator::cleanup() method
When re-setting (SET GLOBAL debug='') the GLOBAL debug settings the
server was not freeing the data elements from the top (initial) frame
before setting them to 0 without freeing the underlying memory. As these
are global settings there's a chance that something is there already.
Fixed by :
1. making sure the allocated data are cleaned up before re-setting them
while parsing a debug string
2. making sure the stuff allocated in the global settings is freed on
shutdown.
indexed BLOBs for ROW_FORMAT=DYNAMIC and ROW_FORMAT_COMPRESSED tables
(Bug #52746). In these tables, the locally stored prefix of a BLOB can
be as small as 20 bytes (BTR_EXTERN_FIELD_REF_SIZE). ROW_FORMAT=REDUNDANT
and ROW_FORMAT=COMPACT store a prefix of 768 bytes (REC_MAX_INDEX_COL_LEN).
trx_undo_rec_get_col_val(): Relax the ut_ad() assertion and add a
reference to dtuple_convert_big_rec().
trx_undo_rec_get_partial_row(): Relax the ut_a() assertion that
prompted Bug #52746.
