Commit 313902c7 authored by unknown's avatar unknown

Fixed bug #16510: Updating field named like '*name' caused server crash.

When setup_fields() function finds field named '*' it expands it to the list
of all table fields. It does so by checking that the first char of
field_name is '*', but it doesn't checks that the '* is the only char.
Due to this, when updating table with a field named like '*name', such field
is wrongly treated as '*' and expanded. This leads to making list of fields
to update being longer than list of the new values. Later, the fill_record() 
function crashes by dereferencing null when there is left fields to update,
but no more values.

Added check in the setup_fields() function which ensures that the field
expanding will be done only when '*' is the only char in the field name.


mysql-test/t/update.test:
  Added test case for bug#16510: Updating field named like '*name' caused server crash
mysql-test/r/update.result:
  Added test case for bug#16510: Updating field named like '*name' caused server crash
sql/sql_base.cc:
  Fixed bug #16510: Updating field named like '*name' caused server crash.
  Added check in the setup_fields() function which ensures that the field
  expanding will be done only when '*' is the only char in the field name.
parent 3fd653b7
...@@ -216,3 +216,7 @@ select * from t1; ...@@ -216,3 +216,7 @@ select * from t1;
a b a b
0 2 0 2
drop table t1; drop table t1;
create table t1(f1 int, `*f2` int);
insert into t1 values (1,1);
update t1 set `*f2`=1;
drop table t1;
...@@ -174,3 +174,11 @@ insert into t1 values (0, '1'); ...@@ -174,3 +174,11 @@ insert into t1 values (0, '1');
update t1 set b = b + 1 where a = 0; update t1 set b = b + 1 where a = 0;
select * from t1; select * from t1;
drop table t1; drop table t1;
#
# Bug #16510 Updating field named like '*name' caused server crash
#
create table t1(f1 int, `*f2` int);
insert into t1 values (1,1);
update t1 set `*f2`=1;
drop table t1;
...@@ -1983,6 +1983,7 @@ int setup_fields(THD *thd, TABLE_LIST *tables, List<Item> &fields, ...@@ -1983,6 +1983,7 @@ int setup_fields(THD *thd, TABLE_LIST *tables, List<Item> &fields,
*/ */
if (item->type() == Item::FIELD_ITEM && if (item->type() == Item::FIELD_ITEM &&
((Item_field*) item)->field_name[0] == '*' && ((Item_field*) item)->field_name[0] == '*' &&
((Item_field*) item)->field_name[1] == 0 &&
!((Item_field*) item)->field) !((Item_field*) item)->field)
{ {
uint elem=fields.elements; uint elem=fields.elements;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment