-
Committer:
Alexey Kopytov
-
Date:
2012-03-25 11:34:06 UTC
-
Revision ID:
akopytov@gmail.com-20120325113406-wl55qmaakkhc6x0i
Bug #856404: Crash when query_cache_strip_comments enabled
Added a simple fix for the bug after reverting the previous patch with
refactoring.
The original problem was that callers of QueryStripComments::set() did
not take the terminating zero in a query string into account when
calculating the additional_length argument value. It was calculated as
(thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE), though the query cache
buffer layout was as follows:
<statement>
'\0'
<db_name>
'\0'
<flags>
So the allocated buffer length was 1 byte less than
necessary. additional_length should have been calculated as (1 +
thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE). Additionally, the query
parsing code in QueryStripComments::set() could overrun the buffer due
to incorrect handling of apostrophes.
On top of that, the query cache buffer layout was changed in 5.5.18 as
follows:
<statement>
'\0'
<length of db_name as a size_t value>
<db_name>
<flags>
So the formula for additional_length becomes:
(1 + sizeof(size_t) + thd->db_length + QUERY_CACHE_FLAGS_SIZE)
Fixed by taking the above into account when calling
QueryStripComments::set() and porting a test case for bug #856404 from
the original patch.