- Committer: Alexey Kopytov
- Date: 2012-03-25 11:34:06 UTC
- Revision ID: akopytov@gmail.com-20120325113406-wl55qmaakkhc6x0i
Bug #856404: Crash when query_cache_strip_comments enabled
Added a simple fix for the bug after reverting the previous patch with
refactoring.
The original problem was that callers of QueryStripComments::set() did
not take the terminating zero in a query string into account when
calculating the additional_length argument value. It was calculated as
(thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE), though the query cache
buffer layout was as follows:
<statement>
'\0'
<db_name>
'\0'
<flags>
So the allocated buffer length was 1 byte less than
necessary. additional_length should have been calculated as (1 +
thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE). Additionally, the query
parsing code in QueryStripComments::set() could overrun the buffer due
to incorrect handling of apostrophes.
On top of that, the query cache buffer layout was changed in 5.5.18 as
follows:
<statement>
'\0'
<length of db_name as a size_t value>
<db_name>
<flags>
So the formula for additional_length becomes:
(1 + sizeof(size_t) + thd->db_length + QUERY_CACHE_FLAGS_SIZE)
Fixed by taking the above into account when calling
QueryStripComments::set() and porting a test case for bug #856404 from
the original patch.
Added a simple fix for the bug after reverting the previous patch with
refactoring.
The original problem was that callers of QueryStripComments::set() did
not take the terminating zero in a query string into account when
calculating the additional_length argument value. It was calculated as
(thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE), though the query cache
buffer layout was as follows:
<statement>
'\0'
<db_name>
'\0'
<flags>
So the allocated buffer length was 1 byte less than
necessary. additional_length should have been calculated as (1 +
thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE). Additionally, the query
parsing code in QueryStripComments::set() could overrun the buffer due
to incorrect handling of apostrophes.
On top of that, the query cache buffer layout was changed in 5.5.18 as
follows:
<statement>
'\0'
<length of db_name as a size_t value>
<db_name>
<flags>
So the formula for additional_length becomes:
(1 + sizeof(size_t) + thd->db_length + QUERY_CACHE_FLAGS_SIZE)
Fixed by taking the above into account when calling
QueryStripComments::set() and porting a test case for bug #856404 from
the original patch.
| Filename | Latest Rev | Last Changed | Committer | Comment | Size | ||
|---|---|---|---|---|---|---|---|
 ..
|
|||||||
source
|
140.10.3 | 12 years ago | Rodrigo Gadea | Initial commit of the new Percona Server 5.5 docum |
|
||
make.bat |
140.10.3 | 12 years ago | Rodrigo Gadea | Initial commit of the new Percona Server 5.5 docum | 4.4 KB |
|
|
|
Makefile |
140.10.3 | 12 years ago | Rodrigo Gadea | Initial commit of the new Percona Server 5.5 docum | 4.5 KB |
|
|