1. 30 Sep, 2010 1 commit
  2. 29 Sep, 2010 1 commit
  3. 28 Sep, 2010 1 commit
  4. 22 Sep, 2010 1 commit
  5. 21 Sep, 2010 1 commit
  6. 20 Sep, 2010 1 commit
  7. 15 Sep, 2010 1 commit
  8. 14 Sep, 2010 1 commit
  9. 10 Sep, 2010 1 commit
  10. 31 Aug, 2010 1 commit
  11. 30 Aug, 2010 2 commits
  12. 25 Aug, 2010 2 commits
  13. 19 Aug, 2010 2 commits
  14. 10 Aug, 2010 1 commit
  15. 04 Aug, 2010 2 commits
  16. 03 Aug, 2010 2 commits
  17. 02 Aug, 2010 5 commits
  18. 01 Aug, 2010 1 commit
    • Gleb Shchepa's avatar
      Bug #54461: crash with longblob and union or update with subquery · 38165ce4
      Gleb Shchepa authored
      Queries may crash, if
        1) the GREATEST or the LEAST function has a mixed list of
           numeric and LONGBLOB arguments and
        2) the result of such a function goes through an intermediate
           temporary table.
      
      An Item that references a LONGBLOB field has max_length of
      UINT_MAX32 == (2^32 - 1).
      
      The current implementation of GREATEST/LEAST returns REAL
      result for a mixed list of numeric and string arguments (that
      contradicts with the current documentation, this contradiction
      was discussed and it was decided to update the documentation).
      
      The max_length of such a function call was calculated as a
      maximum of argument max_length values (i.e. UINT_MAX32).
      
      That max_length value of UINT_MAX32 was used as a length for
      the intermediate temporary table Field_double to hold
      GREATEST/LEAST function result.
      
      The Field_double::val_str() method call on that field
      allocates a String value.
      
      Since an allocation of String reserves an additional byte
      for a zero-termination, the size of String buffer was
      set to (UINT_MAX32 + 1), that caused an integer overflow:
      actually, an empty buffer of size 0 was allocated.
      
      An initialization of the "first" byte of that zero-size
      buffer with '\0' caused a crash.
      
      The Item_func_min_max::fix_length_and_dec() has been
      modified to calculate max_length for the REAL result like
      we do it for arithmetical operators.
      
      
      ******
      Bug #54461: crash with longblob and union or update with subquery
      
      Queries may crash, if
        1) the GREATEST or the LEAST function has a mixed list of
           numeric and LONGBLOB arguments and
        2) the result of such a function goes through an intermediate
           temporary table.
      
      An Item that references a LONGBLOB field has max_length of
      UINT_MAX32 == (2^32 - 1).
      
      The current implementation of GREATEST/LEAST returns REAL
      result for a mixed list of numeric and string arguments (that
      contradicts with the current documentation, this contradiction
      was discussed and it was decided to update the documentation).
      
      The max_length of such a function call was calculated as a
      maximum of argument max_length values (i.e. UINT_MAX32).
      
      That max_length value of UINT_MAX32 was used as a length for
      the intermediate temporary table Field_double to hold
      GREATEST/LEAST function result.
      
      The Field_double::val_str() method call on that field
      allocates a String value.
      
      Since an allocation of String reserves an additional byte
      for a zero-termination, the size of String buffer was
      set to (UINT_MAX32 + 1), that caused an integer overflow:
      actually, an empty buffer of size 0 was allocated.
      
      An initialization of the "first" byte of that zero-size
      buffer with '\0' caused a crash.
      
      The Item_func_min_max::fix_length_and_dec() has been
      modified to calculate max_length for the REAL result like
      we do it for arithmetical operators.
      38165ce4
  19. 30 Jul, 2010 9 commits
  20. 29 Jul, 2010 4 commits
    • Vasil Dimov's avatar
      Merge mysql-5.1-innodb -> mysql-5.1-bugteam · 2aee4d8d
      Vasil Dimov authored
      2aee4d8d
    • Vasil Dimov's avatar
      Merge mysql-5.1-bugteam -> mysql-5.1-innodb · a95441c0
      Vasil Dimov authored
      a95441c0
    • Alexander Barkov's avatar
      Postfix for BUG#45012. · c7071a72
      Alexander Barkov authored
      Problem: The original patch didn't compile on debug_werror
      due to wrong format in printf("%d") for size_t variables.
      
      Fix: Adding cast to (int).
      c7071a72
    • 's avatar
      BUG#49124 Security issue with /*!-versioned */ SQL statements on Slave · 2ad690fd
      authored
      /*![:version:] Query Code */, where [:version:] is a sequence of 5 
      digits representing the mysql server version(e.g /*!50200 ... */),
      is a special comment that the query in it can be executed on those 
      servers whose versions are larger than the version appearing in the 
      comment. It leads to a security issue when slave's version is larger 
      than master's. A malicious user can improve his privileges on slaves. 
      Because slave SQL thread is running with SUPER privileges, so it can
      execute queries that he/she does not have privileges on master.
      
      This bug is fixed with the logic below: 
      - To replace '!' with ' ' in the magic comments which are not applied on
        master. So they become common comments and will not be applied on slave.
      
      - Example:
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /*!99999 ,(3)*/
        will be binlogged as
        'INSERT INTO t1 VALUES (1) /*!10000, (2)*/ /* 99999 ,(3)*/
      2ad690fd