~knielsen/maria/mysql-5.1.50-libmysqld.so : changes

~knielsen/maria/mysql-5.1.50-libmysqld.so » Changes from revision 3473

From Revision 3473 to 3454

Rev	Summary	Authors	Tags	Date
3473	Port MariaDB libmysqld.so patch to MySQL 5.1.50. Port MariaDB libmysqld.so patch to MySQL 5.1.50.	knielsen at knielsen...		13 years ago
3472	auto-merge mysql-5.1-security (local) --> mysql-5.1-security auto-merge mysql-5.1-security (local) --> mysql-5.1-security	Alfranio Correia	clone-5.1.50-build, mysql-5.1.50	13 years ago
3471	merge merge	Georgi Kodinov		13 years ago
3470	merge mysql-5.1-bugteam into mysql-5.1-security merge mysql-5.1-bugteam into mysql-5.1-security	Georgi Kodinov		13 years ago
3469	Bug #54461: crash with longblob and union or update with sub... Bug #54461: crash with longblob and union or update with subquery Queries may crash, if 1) the GREATEST or the LEAST function has a mixed list of numeric and LONGBLOB arguments and 2) the result of such a function goes through an intermediate temporary table. An Item that references a LONGBLOB field has max_length of UINT_MAX32 == (2^32 - 1). The current implementation of GREATEST/LEAST returns REAL result for a mixed list of numeric and string arguments (that contradicts with the current documentation, this contradiction was discussed and it was decided to update the documentation). The max_length of such a function call was calculated as a maximum of argument max_length values (i.e. UINT_MAX32). That max_length value of UINT_MAX32 was used as a length for the intermediate temporary table Field_double to hold GREATEST/LEAST function result. The Field_double::val_str() method call on that field allocates a String value. Since an allocation of String reserves an additional byte for a zero-termination, the size of String buffer was set to (UINT_MAX32 + 1), that caused an integer overflow: actually, an empty buffer of size 0 was allocated. An initialization of the "first" byte of that zero-size buffer with '\0' caused a crash. The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators. ****** Bug #54461: crash with longblob and union or update with subquery Queries may crash, if 1) the GREATEST or the LEAST function has a mixed list of numeric and LONGBLOB arguments and 2) the result of such a function goes through an intermediate temporary table. An Item that references a LONGBLOB field has max_length of UINT_MAX32 == (2^32 - 1). The current implementation of GREATEST/LEAST returns REAL result for a mixed list of numeric and string arguments (that contradicts with the current documentation, this contradiction was discussed and it was decided to update the documentation). The max_length of such a function call was calculated as a maximum of argument max_length values (i.e. UINT_MAX32). That max_length value of UINT_MAX32 was used as a length for the intermediate temporary table Field_double to hold GREATEST/LEAST function result. The Field_double::val_str() method call on that field allocates a String value. Since an allocation of String reserves an additional byte for a zero-termination, the size of String buffer was set to (UINT_MAX32 + 1), that caused an integer overflow: actually, an empty buffer of size 0 was allocated. An initialization of the "first" byte of that zero-size buffer with '\0' caused a crash. The Item_func_min_max::fix_length_and_dec() has been modified to calculate max_length for the REAL result like we do it for arithmetical operators.	Gleb Shchepa		13 years ago
3468	Bug #54476: crash when group_concat and 'with rollup' in Bug #54476: crash when group_concat and 'with rollup' in prepared statements Using GROUP_CONCAT() together with the WITH ROLLUP modifier could crash the server. The reason was a combination of several facts: 1. The Item_func_group_concat class stores pointers to ORDER objects representing the columns in the ORDER BY clause of GROUP_CONCAT(). 2. find_order_in_list() called from Item_func_group_concat::setup() modifies the ORDER objects so that their 'item' member points to the arguments list allocated in the Item_func_group_concat constructor. 3. In some cases (e.g. in JOIN::rollup_make_fields) a copy of the original Item_func_group_concat object could be created by using the Item_func_group_concat::Item_func_group_concat(THD thd, Item_func_group_concat item) copy constructor. The latter essentially creates a shallow copy of the source object. Memory for the arguments array is allocated on thd->mem_root, but the pointers for arguments and ORDER are copied verbatim. What happens in the test case is that when executing the query for the first time, after a copy of the original Item_func_group_concat object has been created by JOIN::rollup_make_fields(), find_order_in_list() is called for this new object. It then resolves ORDER BY by modifying the ORDER objects so that they point to elements of the arguments array which is local to the cloned object. When thd->mem_root is freed upon completing the execution, pointers in the ORDER objects become invalid. Those ORDER objects, however, are also shared with the original Item_func_group_concat object which is preserved between executions of a prepared statement. So the first call to find_order_in_list() for the original object on the second execution tries to dereference an invalid pointer. The solution is to create copies of the ORDER objects when copying Item_func_group_concat to not leave any stale pointers in other instances with different lifecycles.	Alexey Kopytov		13 years ago
3467	merge merge	Georgi Kodinov		13 years ago
3466	merge merge	Georgi Kodinov		13 years ago
3465	merge merge	Georgi Kodinov		13 years ago
3464	Fix bug #55039 Failing assertion: space_id > 0 in fil0fil.c. Fix bug #55039 Failing assertion: space_id > 0 in fil0fil.c. rb://396, approved by Sunny Bains.	Jimmy Yang		13 years ago
3463	Bug #54117 crash in thr_multi_unlock, temporary table Bug #54117 crash in thr_multi_unlock, temporary table This crash occured after ALTER TABLE was used on a temporary transactional table locked by LOCK TABLES. Any later attempts to execute LOCK/UNLOCK TABLES, caused the server to crash. The reason for the crash was the list of locked tables would end up having a pointer to a free'd table instance. This happened because ALTER TABLE deleted the table without also removing the table reference from the locked tables list. This patch fixes the problem by making sure ALTER TABLE also removes the table from the locked tables list. Test case added to innodb_mysql.test.	Jon Olav Hauglid		13 years ago
3462	Raise version number after cloning 5.1.49 Raise version number after cloning 5.1.49	karen.langford at su...		13 years ago
3461	Merge mysql-5.1-innodb -> mysql-5.1-security Merge mysql-5.1-innodb -> mysql-5.1-security Merge up to sunny.bains@oracle.com-20100625081841-ppulnkjk1qlazh82 . There are 8 more changesets in mysql-5.1-innodb, but PB2 shows a failure for a test added in one of them. If that is resolved quickly then those 8 more changesets will be merged too.	Vasil Dimov	clone-5.1.49-build	13 years ago
3460	merge merge	Georgi Kodinov		13 years ago
3459	merge merge	Georgi Kodinov		13 years ago
3458	merge merge	Georgi Kodinov		13 years ago
3457	merge merge	Georgi Kodinov		13 years ago
3456	merge merge	Georgi Kodinov		13 years ago
3455	Automerge. Automerge.	Alexey Kopytov		13 years ago
3454	Bug#51431 Wrong sort order after import of dump file Bug#51431 Wrong sort order after import of dump file The problem is that QUICK_SELECT_DESC behaviour depends on used_key_parts value which can be bigger than selected best_key_parts value if an engine supports clustered key. But used_key_parts is overwritten with best_key_parts value that prevents from correct selection of index access method. The fix is to preserve used_key_parts value for further use in QUICK_SELECT_DESC.	Sergey Glukhov		13 years ago

Older »