1. 16 Dec, 2010 2 commits
    • Martin Hansson's avatar
      Null-merge of back-port of Bug#54568. · 1c0374dc
      Martin Hansson authored
      1c0374dc
    • Martin Hansson's avatar
      Bug#54568: create view cause Assertion failed: 0, · ffdeb062
      Martin Hansson authored
      file .\item_subselect.cc, line 836
           
      IN quantified predicates are never executed directly. They are rather wrapped
      inside nodes called IN Optimizers (Item_in_optimizer) which take care of the
      execution. However, this is not done during query preparation. Unfortunately
      the LIKE predicate pre-evaluates constant right-hand side arguments even
      during name resolution. Likely this is meant as an optimization.
            
      Fixed by not pre-evaluating LIKE arguments in view prepare mode.
      
      Back-ported to 5.0s
      ffdeb062
  2. 15 Dec, 2010 2 commits
    • Alexander Nozdrin's avatar
      Auto-merge from mysql-5.0-security. · 0c2ef4a6
      Alexander Nozdrin authored
      0c2ef4a6
    • Alexander Nozdrin's avatar
      Patch for Bug#57952 (privilege change is not taken into account by EXECUTE). · 1bd81f6b
      Alexander Nozdrin authored
      The user-visible problem was that changes to column-level privileges,
      happened in between of PREPARE and EXECUTE of a prepared statement, were
      neglected. I.e. a prepared statement could be executed with the
      column-level privileges as of PREPARE-time. The problem existed for
      column-level privileges only.
      
      A similar problem existed for stored programs: the changes between
      executions didn't have an effect.
      
      Technically the thing is that table references are cached in
      Prepared_statement::prepare() call. In subsequent
      Prepared_statement::execute() calls those cached values are used.
      There are two functions to get a field by name: find_field_in_table() and
      find_field_in_table_ref(). On prepare-phase find_field_in_table_ref() is
      called, on execute-phase -- find_field_in_table() because the table is
      cached. find_field_in_table() does not check column-level privileges and
      expects the caller to do that. The problem was that this check was
      forgotten.
      
      The fix is to check them there as it happens in find_field_in_table_ref().
      1bd81f6b
  3. 08 Dec, 2010 2 commits
  4. 06 Dec, 2010 1 commit
    • Gleb Shchepa's avatar
      Bug #57187: more user variable fun with multiple · e5a88caf
      Gleb Shchepa authored
                  assignments and comparison in query
      
      A query that compares assignments of the same
      user variable caused Valgrind warnings: access
      to freed memory region.
      
      In case of a DECIMAL argument the assignment
      operator (:=) may return a pointer to a stored
      value instead of its copy when evaluated.
      The next assignment to the same variable may:
       a) overwrite the stored value with a new one
          and return the same pointer or even
       b) reallocate stored value.
      
      Thus, if we evaluate an assignment and keep
      the result pointer and then evaluate another
      assignment to the same variable, then the
      kept result pointer of the first assignment
      will point to unexpectedly changed data or
      it may be a dead pointer.
      
      That may cause wrong data or crash.
      
      The user_var_entry::val_decimal method has
      been modified to copy user variable data.
      
      
      mysql-test/r/user_var.result:
        Test case for bug #57187.
      mysql-test/t/user_var.test:
        Test case for bug #57187.
      sql/item_func.cc:
        Bug #57187: more user variable fun with multiple
                    assignments and comparison in query
        
        The user_var_entry::val_decimal method has
        been modified to copy user variable data.
      e5a88caf
  5. 03 Dec, 2010 2 commits
  6. 30 Nov, 2010 1 commit
  7. 26 Nov, 2010 2 commits
  8. 25 Nov, 2010 1 commit
  9. 24 Nov, 2010 8 commits
    • Gleb Shchepa's avatar
      backport of bug #54461 from 5.1-security to 5.0-security · a30e9dda
      Gleb Shchepa authored
       > revision-id: gshchepa@mysql.com-20100801181236-uyuq6ewaq43rw780
       > parent: alexey.kopytov@sun.com-20100723115254-jjwmhq97b9wl932l
       > committer: Gleb Shchepa <gshchepa@mysql.com>
       > branch nick: mysql-5.1-security
       > timestamp: Sun 2010-08-01 22:12:36 +0400
       > Bug #54461: crash with longblob and union or update with subquery
       >
       > Queries may crash, if
       >   1) the GREATEST or the LEAST function has a mixed list of
       >      numeric and LONGBLOB arguments and
       >   2) the result of such a function goes through an intermediate
       >      temporary table.
       >
       > An Item that references a LONGBLOB field has max_length of
       > UINT_MAX32 == (2^32 - 1).
       >
       > The current implementation of GREATEST/LEAST returns REAL
       > result for a mixed list of numeric and string arguments (that
       > contradicts with the current documentation, this contradiction
       > was discussed and it was decided to update the documentation).
       >
       > The max_length of such a function call was calculated as a
       > maximum of argument max_length values (i.e. UINT_MAX32).
       >
       > That max_length value of UINT_MAX32 was used as a length for
       > the intermediate temporary table Field_double to hold
       > GREATEST/LEAST function result.
       >
       > The Field_double::val_str() method call on that field
       > allocates a String value.
       >
       > Since an allocation of String reserves an additional byte
       > for a zero-termination, the size of String buffer was
       > set to (UINT_MAX32 + 1), that caused an integer overflow:
       > actually, an empty buffer of size 0 was allocated.
       >
       > An initialization of the "first" byte of that zero-size
       > buffer with '\0' caused a crash.
       >
       > The Item_func_min_max::fix_length_and_dec() has been
       > modified to calculate max_length for the REAL result like
       > we do it for arithmetical operators.
      
      
      mysql-test/r/func_misc.result:
        Test case for bug #54461.
      mysql-test/t/func_misc.test:
        Test case for bug #54461.
      sql/item_func.cc:
        Bug #54461: crash with longblob and union or update with subquery
        
        The Item_func_min_max::fix_length_and_dec() has been
        modified to calculate max_length for the REAL result like
        we do it for arithmetical operators.
      a30e9dda
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-security. · 3ee4964c
      Alexander Nozdrin authored
      3ee4964c
    • Alexander Nozdrin's avatar
      A follow-up for Bug#58339 (Replace Server GPL README file). · 14b38121
      Alexander Nozdrin authored
      Fix formatting issues in README file.
      14b38121
    • Alexander Nozdrin's avatar
      Empty merge from mysql-5.0-security. · dde10d4b
      Alexander Nozdrin authored
      dde10d4b
    • Alexander Nozdrin's avatar
      Merge from mysql-5.1-bugteam. · 9cf37e24
      Alexander Nozdrin authored
      9cf37e24
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-bugteam. · 523a4745
      Alexander Nozdrin authored
      523a4745
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-bugteam. · 1e43b94c
      Alexander Nozdrin authored
      1e43b94c
    • Alexander Nozdrin's avatar
      A follow-up for Bug#58340 (Remove Server GPL EXCEPTIONS-CLIENT file) -- remove all · 85f855e0
      Alexander Nozdrin authored
      EXCEPTIONS-CLIENT from all the places.
      85f855e0
  10. 23 Nov, 2010 4 commits
    • Ramil Kalimullin's avatar
      binlog.binlog_row_failure_mixing_engines test disabled. · 698c9c3a
      Ramil Kalimullin authored
      See bug #58416.
      698c9c3a
    • Ramil Kalimullin's avatar
      Auto-merge with mysql-5.1-bugteam. · 55114ee2
      Ramil Kalimullin authored
      55114ee2
    • Ramil Kalimullin's avatar
      Auto-merge with mysql-5.0-bugteam. · 787e41d2
      Ramil Kalimullin authored
      787e41d2
    • Sergey Glukhov's avatar
      Bug#56862 Execution of a query that uses index merge returns a wrong result · cf0cc723
      Sergey Glukhov authored
      In case of low memory sort buffer QUICK_INDEX_MERGE_SELECT creates
      temporary file where is stores row ids which meet QUICK_SELECT ranges
      except of clustered pk range, clustered range is processed separately.
      In init_read_record we check if temporary file is used and choose
      appropriate record access method. It does not take into account that
      temporary file contains partial result in case of QUICK_INDEX_MERGE_SELECT
      with clustered pk range.
      The fix is always to use rr_quick if QUICK_INDEX_MERGE_SELECT
      with clustered pk range is used.
      
      
      mysql-test/suite/innodb/r/innodb_mysql.result:
        test case
      mysql-test/suite/innodb/t/innodb_mysql.test:
        test case
      mysql-test/suite/innodb_plugin/r/innodb_mysql.result:
        test case
      mysql-test/suite/innodb_plugin/t/innodb_mysql.test:
        test case
      sql/opt_range.h:
        added new method
      sql/records.cc:
        The fix is always to use rr_quick if QUICK_INDEX_MERGE_SELECT
        with clustered pk range is used.
      cf0cc723
  11. 22 Nov, 2010 7 commits
    • Gleb Shchepa's avatar
      empty upmerge after backport of bug 55568 · 65f94002
      Gleb Shchepa authored
      5.0-security --> 5.1-security
      65f94002
    • Gleb Shchepa's avatar
      backport: Bug #55568 from 5.1-security to 5.0-security · 47bb750c
      Gleb Shchepa authored
      > revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h
      > parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53
      > committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
      > branch nick: 5.1-security
      > timestamp: Tue 2010-08-24 14:35:48 +0400
      > message:
      >   Bug #55568: user variable assignments crash server when used
      >               within query
      >   
      >   The server could crash after materializing a derived table
      >   which requires a temporary table for grouping.
      >   
      >   When destroying the temporary table used to execute a query for
      >   a derived table, JOIN::destroy() did not clean up Item_fields
      >   pointing to fields in the temporary table. This led to
      >   dereferencing a dangling pointer when printing out the items
      >   tree later in the outer SELECT.
      >   
      >   The solution is an addendum to the patch for bug37362: in
      >   addition to cleaning up items in tmp_all_fields3, do the same
      >   for items in tmp_all_fields1, since now we have an example
      >   where this is necessary.
      
      
      sql/field.cc:
        Make sure field->table_name is not set to NULL in
        Field::make_field() to avoid assertion failure in 
        Item_field::make_field() after cleaning up items
        (the assertion fired in udf.test when running
        the test suite with the patch applied).
      sql/sql_select.cc:
        In addition to cleaning up items in tmp_all_fields3, do the
        same for items in tmp_all_fields1.
        Introduce a new helper function to avoid code duplication.
      sql/sql_select.h:
        Introduce a new helper function to avoid code duplication in
        JOIN::destroy().
      47bb750c
    • Alexander Nozdrin's avatar
      Merge from mysql-5.0-bugteam. · 412f1141
      Alexander Nozdrin authored
      412f1141
    • Alexander Nozdrin's avatar
    • Alexander Nozdrin's avatar
    • Ramil Kalimullin's avatar
      Manual-merge from mysql-5.1-bugteam. · 65116d34
      Ramil Kalimullin authored
      65116d34
    • Guilhem Bichot's avatar
      Fix for Bug#56138 "valgrind errors about overlapping memory when double-assigning same variable", · 96b04049
      Guilhem Bichot authored
      and related small fixes.
      
      mysql-test/t/user_var.test:
        test for bug
      sql/field_conv.cc:
        From the C standard, memcpy() has undefined behaviour if to->ptr==from->ptr
      sql/item_func.cc:
        In the case of BUG#56138, entry->value==ptr in which case memcpy()
        has undefined results per the C standard.
      sql/sql_select.cc:
        Work around a bug in old gcc
      96b04049
  12. 20 Nov, 2010 1 commit
  13. 18 Nov, 2010 1 commit
    • Georgi Kodinov's avatar
      Bug #50021: Windows standard configuration files are showing Linux · 05c9acaa
      Georgi Kodinov authored
       options/settings
       
       1. Changed the default value for socket on Windows to the windows
       default
       2. Removed hard-coded trailing slashes from innodb_data_home_dir
       and innodb_log_group_name_dir.
       3. Added extra backslashes to the innodb directory example
       4. Made the tempdir platform "dependent"
       5. Fixed the comments in the .ini files
       6. Removed the tmpdir from the templates and the scripts
      05c9acaa
  14. 19 Nov, 2010 1 commit
  15. 18 Nov, 2010 5 commits