Commit 590652a1 authored by guilhem@mysql.com's avatar guilhem@mysql.com

Merge gbichot@213.136.52.20:/home/bk/mysql-4.1

into mysql.com:/home/mysql_src/mysql-4.1
parents 251bf4ab e450acc7
...@@ -3845,7 +3845,23 @@ mysql_parse(THD *thd, char *inBuf, uint length) ...@@ -3845,7 +3845,23 @@ mysql_parse(THD *thd, char *inBuf, uint length)
if (query_cache_send_result_to_client(thd, inBuf, length) <= 0) if (query_cache_send_result_to_client(thd, inBuf, length) <= 0)
{ {
LEX *lex=lex_start(thd, (uchar*) inBuf, length); LEX *lex=lex_start(thd, (uchar*) inBuf, length);
if (!yyparse((void *)thd) && ! thd->is_fatal_error) if (!yyparse((void *)thd) && ! thd->is_fatal_error &&
/*
If this is not a multiple query, ensure that it has been
successfully parsed until the last character. This is to prevent
against a wrong (too big) length passed to mysql_real_query(),
mysql_prepare()... which can generate garbage characters at the
end. If the query was initially multiple, found_colon will be false
only when we are in the last query; this last query had already
been end-spaces-stripped by alloc_query() in dispatch_command(); as
end spaces are the only thing we accept at the end of a query, and
they have been stripped already, here we can require that nothing
remains after parsing.
*/
(thd->lex->found_colon ||
(char*)(thd->lex->ptr) == (thd->query+thd->query_length+1) ||
/* yyerror() will show the garbage chars to the user */
(yyerror("syntax error"), 0)))
{ {
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
if (mqh_used && thd->user_connect && if (mqh_used && thd->user_connect &&
......
...@@ -909,7 +909,15 @@ bool mysql_stmt_prepare(THD *thd, char *packet, uint packet_length) ...@@ -909,7 +909,15 @@ bool mysql_stmt_prepare(THD *thd, char *packet, uint packet_length)
lex->safe_to_cache_query= 0; lex->safe_to_cache_query= 0;
lex->param_count= 0; lex->param_count= 0;
if (yyparse((void *)thd) || thd->is_fatal_error || send_prepare_results(stmt)) if (yyparse((void *)thd) || thd->is_fatal_error ||
/*
Check for wrong (too big) length passed to mysql_prepare() resulting in
garbage at the end of the query. There is a similar check in mysql_parse().
*/
(!thd->lex->found_colon &&
(char*)(thd->lex->ptr) != (thd->query+thd->query_length+1) &&
/* yyerror() will show the garbage chars to the user */
(yyerror("syntax error"), 1)) || send_prepare_results(stmt))
goto yyparse_err; goto yyparse_err;
lex_end(lex); lex_end(lex);
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment