102.1.1
by kinoyasu
add header and rule, as the first step of the reordering patch for separate release |
1 |
# name : bug580324.patch |
2 |
# introduced : 11 or before |
|
3 |
# maintainer : Oleg |
|
4 |
# |
|
5 |
#!!! notice !!! |
|
6 |
# Any small change to this file in the main branch |
|
7 |
# should be done or reviewed by the maintainer! |
|
129.1.1
by Oleg Tsarev
fix diff -Nur syntax to diff -ruN |
8 |
diff -ruN a/sql/sql_base.cc b/sql/sql_base.cc
|
11.1.1
by Oleg Tsarev
fix security bug 580324 |
9 |
--- a/sql/sql_base.cc 2010-05-27 19:54:18.000000000 +0400
|
10 |
+++ b/sql/sql_base.cc 2010-05-27 19:55:20.000000000 +0400
|
|
11 |
@@ -233,8 +233,12 @@
|
|
12 |
uint create_table_def_key(THD *thd, char *key, TABLE_LIST *table_list, |
|
13 |
bool tmp_table) |
|
14 |
{ |
|
15 |
- uint key_length= (uint) (strmov(strmov(key, table_list->db)+1,
|
|
16 |
- table_list->table_name)-key)+1;
|
|
17 |
+ char *db_end= strnmov(key, table_list->db, MAX_DBKEY_LENGTH - 2);
|
|
18 |
+ *db_end++= '\0';
|
|
19 |
+ char *table_end= strnmov(db_end, table_list->table_name,
|
|
20 |
+ key + MAX_DBKEY_LENGTH - 1 - db_end);
|
|
21 |
+ *table_end++= '\0';
|
|
22 |
+ uint key_length= (uint) (table_end-key);
|
|
23 |
if (tmp_table) |
|
24 |
{ |
|
25 |
int4store(key + key_length, thd->server_id); |
|
129.1.1
by Oleg Tsarev
fix diff -Nur syntax to diff -ruN |
26 |
diff -ruN a/sql/sql_parse.cc b/sql/sql_parse.cc
|
11.1.1
by Oleg Tsarev
fix security bug 580324 |
27 |
--- a/sql/sql_parse.cc 2010-05-27 19:54:18.000000000 +0400
|
28 |
+++ b/sql/sql_parse.cc 2010-05-27 20:03:20.000000000 +0400
|
|
149.1.1
by Oleg Tsarev
port Oleg's patches to 5.1.53 |
29 |
@@ -1327,10 +1327,12 @@
|
11.1.1
by Oleg Tsarev
fix security bug 580324 |
30 |
break; |
31 |
#else |
|
32 |
{ |
|
33 |
- char *fields, *packet_end= packet + packet_length, *arg_end;
|
|
34 |
+ char *fields, *packet_end= packet + packet_length, *wildcard;
|
|
35 |
/* Locked closure of all tables */ |
|
36 |
TABLE_LIST table_list; |
|
37 |
- LEX_STRING conv_name;
|
|
38 |
+ char db_buff[NAME_LEN+1];
|
|
39 |
+ uint32 db_length;
|
|
40 |
+ uint dummy_errors;
|
|
41 |
||
42 |
/* used as fields initializator */ |
|
43 |
lex_start(thd); |
|
149.1.1
by Oleg Tsarev
port Oleg's patches to 5.1.53 |
44 |
@@ -1342,26 +1344,22 @@
|
11.1.1
by Oleg Tsarev
fix security bug 580324 |
45 |
/* |
46 |
We have name + wildcard in packet, separated by endzero |
|
47 |
*/ |
|
48 |
- arg_end= strend(packet);
|
|
49 |
- uint arg_length= arg_end - packet;
|
|
50 |
-
|
|
51 |
- /* Check given table name length. */
|
|
52 |
- if (arg_length >= packet_length || arg_length > NAME_LEN)
|
|
53 |
+ wildcard= strend(packet);
|
|
54 |
+ db_length= wildcard - packet;
|
|
55 |
+ wildcard++;
|
|
56 |
+ uint query_length= (uint) (packet_end - wildcard); // Don't count end \0
|
|
57 |
+ if (db_length > NAME_LEN || query_length > NAME_LEN)
|
|
58 |
{ |
|
59 |
my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0)); |
|
60 |
break; |
|
61 |
} |
|
62 |
- thd->convert_string(&conv_name, system_charset_info,
|
|
63 |
- packet, arg_length, thd->charset());
|
|
64 |
- if (check_table_name(conv_name.str, conv_name.length, FALSE))
|
|
65 |
- {
|
|
66 |
- /* this is OK due to convert_string() null-terminating the string */
|
|
67 |
- my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
|
|
68 |
+ db_length= copy_and_convert(db_buff, sizeof(db_buff)-1,
|
|
69 |
+ system_charset_info, packet, db_length,
|
|
70 |
+ thd->charset(), &dummy_errors);
|
|
71 |
+ db_buff[db_length]= '\0';
|
|
72 |
+ table_list.alias= table_list.table_name= db_buff;
|
|
73 |
+ if (!(fields= (char *) thd->memdup(wildcard, query_length + 1)))
|
|
74 |
break; |
|
75 |
- }
|
|
76 |
-
|
|
77 |
- table_list.alias= table_list.table_name= conv_name.str;
|
|
78 |
- packet= arg_end + 1;
|
|
79 |
||
80 |
if (is_schema_db(table_list.db, table_list.db_length)) |
|
81 |
{ |
|
149.1.1
by Oleg Tsarev
port Oleg's patches to 5.1.53 |
82 |
@@ -1370,9 +1368,6 @@
|
11.1.1
by Oleg Tsarev
fix security bug 580324 |
83 |
table_list.schema_table= schema_table; |
84 |
} |
|
85 |
||
86 |
- uint query_length= (uint) (packet_end - packet); // Don't count end \0
|
|
87 |
- if (!(fields= (char *) thd->memdup(packet, query_length + 1)))
|
|
88 |
- break;
|
|
89 |
thd->set_query(fields, query_length); |
|
90 |
general_log_print(thd, command, "%s %s", table_list.table_name, fields); |
|
91 |
if (lower_case_table_names) |
|
129.1.1
by Oleg Tsarev
fix diff -Nur syntax to diff -ruN |
92 |
diff -ruN a/strings/ctype-utf8.c b/strings/ctype-utf8.c
|
11.1.1
by Oleg Tsarev
fix security bug 580324 |
93 |
--- a/strings/ctype-utf8.c 2010-05-06 19:28:05.000000000 +0400
|
94 |
+++ b/strings/ctype-utf8.c 2010-05-27 20:04:20.000000000 +0400
|
|
95 |
@@ -4116,6 +4116,10 @@
|
|
96 |
{ |
|
97 |
int code; |
|
98 |
char hex[]= "0123456789abcdef"; |
|
99 |
+
|
|
100 |
+ if (s >= e)
|
|
101 |
+ return MY_CS_TOOSMALL;
|
|
102 |
+
|
|
103 |
if (wc < 128 && filename_safe_char[wc]) |
|
104 |
{ |
|
105 |
*s= (uchar) wc; |