1. 10 Oct, 2011 1 commit
  2. 07 Oct, 2011 1 commit
    • Magne Mahre's avatar
      BUG#12589870 CRASHES WITH MULTIQUERY PACKET + USE<DB> + QUERY CACHE · e02c3d7f
      Magne Mahre authored
       
      A buffer large enough to hold the query _plus_ some additional
      data is allocated before parsing is started.   The additional data 
      is used by the query cache, and consists of the name of the current 
      database and a set of flags.
       
      When a packet containing multiple SQL statements is sent to the
      server and one of the statements changes the current database
      (a "USE <db>" statement), and the name of the new current database 
      is longer than of the previous,  there is not enough space in the 
      buffer for the new name, and we write out over the buffer boundary.
      
      The fix adds an extra field to store the number of bytes
      allocated to the database name in the buffer.  If the current
      database name changes, and the new name is longer than the
      previous one, we refuse to cache the query.
      e02c3d7f
  3. 06 Oct, 2011 2 commits
  4. 29 Sep, 2011 2 commits
    • Tatjana Azundris Nuernberg's avatar
      manual merge · 22532c2c
      Tatjana Azundris Nuernberg authored
      22532c2c
    • Tatjana Azundris Nuernberg's avatar
      Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows /... · 546084eb
      Tatjana Azundris Nuernberg authored
      Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows / underlying table's name
      
      1 - If a user had SHOW VIEW and SELECT privileges on a view and
      this view was referencing another view, EXPLAIN SELECT on the outer
      view (that the user had privileges on) could reveal the structure
      of the underlying "inner" view as well as the number of rows in
      the underlying tables, even if the user had privileges on none of
      these referenced objects.
      
      This happened because we used DEFINER's UID ("SUID") not just for
      the view given in EXPLAIN, but also when checking privileges on
      the underlying views (where we should use the UID of the EXPLAIN's
      INVOKER instead).
      
      We no longer run the EXPLAIN SUID (with DEFINER's privileges).
      This prevents a possible exploit and makes permissions more
      orthogonal.
      
      2 - EXPLAIN SELECT would reveal a view's structure even if the user
      did not have SHOW VIEW privileges for that view, as long as they
      had SELECT privilege on the underlying tables.
      
      Instead of requiring both SHOW VIEW privilege on a view and SELECT
      privilege on all underlying tables, we were checking for presence
      of either of them.
      
      We now explicitly require SHOW VIEW and SELECT privileges on
      the view we run EXPLAIN SELECT on, as well as all its
      underlying views. We also require SELECT on all relevant
      tables. 
      546084eb
  5. 22 Sep, 2011 1 commit
    • Alexander Nozdrin's avatar
      Fix for Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES ARE RUN CONCURRENTLY. · 41dc3049
      Alexander Nozdrin authored
      The main problem was that lex_start() was forgotten to be called before processing
      COM_REFRESH.
      
      Another problem discovered was that if failures to flush the error log were not properly
      handled, which resulted in the server crash.
      
      The user-visible effect of these problems were:
        - if COM_REFRESH command was sent after SQL-queries of some sort,
          the server would crash.
        - if COM_REFRESH was requested with REFRESH_LOG only, and the error log
          failed to flush, the server would crash. The error log fails to flush
          when it points to unavailable file (for example, due to restricted
          permissions).
      
      The fixes are:
        - call lex_start() in the beginning of COM_REFRESH;
        - handle failures to flush the error log properly, i.e. raise ER_UNKNOWN_ERROR.
      41dc3049
  6. 15 Sep, 2011 1 commit
  7. 23 Aug, 2011 1 commit
  8. 17 Aug, 2011 2 commits
  9. 11 Aug, 2011 1 commit
  10. 10 Aug, 2011 3 commits
  11. 09 Aug, 2011 1 commit
  12. 08 Aug, 2011 1 commit
  13. 02 Aug, 2011 1 commit
  14. 27 Jul, 2011 2 commits
  15. 22 Jul, 2011 2 commits
    • Alexander Nozdrin's avatar
      Manual merge from mysql-5.0. · c4dad60a
      Alexander Nozdrin authored
      c4dad60a
    • Alexander Nozdrin's avatar
      For for Bug#12696072: FIX OUTDATED COPYRIGHT NOTICES IN RUNTIME RELATED CLIENT · f7618904
      Alexander Nozdrin authored
      TOOLS
      
      Backport a fix for Bug 57094 from 5.5.
      The following revision was backported:
      
      # revision-id: alexander.nozdrin@oracle.com-20101006150613-ls60rb2tq5dpyb5c
      # parent: bar@mysql.com-20101006121559-am1e05ykeicwnx48
      # committer: Alexander Nozdrin <alexander.nozdrin@oracle.com>
      # branch nick: mysql-5.5-bugteam-bug57094
      # timestamp: Wed 2010-10-06 19:06:13 +0400
      # message:
      #   Fix for Bug 57094 (Copyright notice incorrect?).
      #   
      #   The fix is to:
      #     - introduce ORACLE_WELCOME_COPYRIGHT_NOTICE define to have a single place
      #       to specify copyright notice;
      #     - replace custom copyright notices with ORACLE_WELCOME_COPYRIGHT_NOTICE
      #       in programs.
      f7618904
  16. 19 Jul, 2011 1 commit
  17. 18 Jul, 2011 3 commits
  18. 15 Jul, 2011 5 commits
    • Bjorn Munch's avatar
      merge from 5.1 main · b2151fae
      Bjorn Munch authored
      b2151fae
    • Alexander Nozdrin's avatar
      Backport a fix for Bug#59060 (Valgrind warning in Protocol_text::store()). · 2fe4f6bb
      Alexander Nozdrin authored
      Original changeset:
      revision-id: alexander.nozdrin@oracle.com-20101221122349-6h8ammcro70a4pac
      parent: sven.sandberg@oracle.com-20101221121948-hnivuulyohzch1v4
      committer: Alexander Nozdrin <alexander.nozdrin@oracle.com>
      branch nick: mysql-trunk-bugfixing
      timestamp: Tue 2010-12-21 15:23:49 +0300
      message:
        A patch for Bug#59060 (Valgrind warning in Protocol_text::store()).
        
        We should not assume to have zero-terminated strings.
      2fe4f6bb
    • Tor Didriksen's avatar
      merge 5.0-security => 5.1-security · a72a9816
      Tor Didriksen authored
      a72a9816
    • Tor Didriksen's avatar
      Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL · cfe3489b
      Tor Didriksen authored
      The buffer was simply too small.
      In 5.5 and trunk, the size is 311 + 31,
      in 5.1 and below, the size is 331
      cfe3489b
    • Luis Soares's avatar
      DBUG_PRINT in solaris does not work well with NULL parameters. · dbba17da
      Luis Soares authored
      HA_ERR was returning 0 (null string) when no error happened 
      (error=0). Since HA_ERR is used in DBUG_PRINT, regardless there 
      was an error or not, the server could crash in solaris debug
      builds.
      
      We fix this by:
      
        - deploying an assertion that ensures that the function 
          is not called when no error has happened;
        - making sure that HA_ERR is only called when an error 
          happened;
        - making HA_ERR return "No Error", instead of 0, for 
          non-debug builds if it is called when no error happened.
      
      This will make HA_ERR return values to work with DBUG_PRINT on
      solaris debug builds.
      dbba17da
  19. 14 Jul, 2011 1 commit
    • Luis Soares's avatar
      BUG#11753004: 44360: REPLICATION FAILED · ce8077d8
      Luis Soares authored
                        
      The server crashes if it processes table map events that are
      corrupted, especially if they map different tables to the same
      identifier. This could happen, for instance, due to BUG 56226.
                        
      We fix this by checking whether the table map has already been
      mapped before actually applying the event. If it has been mapped
      with different settings an error is raised and the slave SQL
      thread stops. If it has been mapped with same settings the event
      is skipped. If the table is set to be ignored by the filtering
      rules, there is no change in behavior: the event is skipped and
      ids are not checked.
      ce8077d8
  20. 12 Jul, 2011 2 commits
    • Luis Soares's avatar
      BUG#12695969 · 93aba6e6
      Luis Soares authored
      Manually merged from mysql-5.0 into mysql-5.1.
      
      conflicts
      =========
      
      include/Makefile.am
      93aba6e6
    • Luis Soares's avatar
      BUG#12695969 · eae6fde7
      Luis Soares authored
      Follow-up patch that adds the newly added header file to
      Makefile.am noinst_HEADERS.
      eae6fde7
  21. 11 Jul, 2011 3 commits
    • Luis Soares's avatar
      BUG#12695969 · d3324c00
      Luis Soares authored
      Manually merged mysql-5.0 into mysql-5.1.
      
      conflicts
      =========
      client/mysqlibinlog.cc
      d3324c00
    • Luis Soares's avatar
      BUG#12695969: FIX OUTDATED COPYRIGHT NOTICES IN REPLACTION · cc17ce72
      Luis Soares authored
      CLIENT TOOLS
            
      The fix is to backport part of revision:
              
        - alexander.nozdrin@oracle.com-20101006150613-ls60rb2tq5dpyb5c
            
      from mysql-5.5. In detail, we add the oracle welcome notice
      header file proposed in the original patch and include/use it
      in client/mysqlbinlog.cc, replacing the existing and obsolete
      notice.
      cc17ce72
    • Tor Didriksen's avatar
      Bug#11765255 - 58201: VALGRIND/CRASH WHEN ORDERING BY MULTIPLE AGGREGATE FUNCTIONS · 9827d4aa
      Tor Didriksen authored
      We must allocate a larger ref_pointer_array. We failed to account for extra
      items allocated here:
      #0  find_order_in_list 
        uint el= all_fields.elements;
        all_fields.push_front(order_item); /* Add new field to field list. */
        ref_pointer_array[el]= order_item;
        order->item= ref_pointer_array + el;
      #1  setup_order
      #2  setup_without_group
      #3  JOIN::prepare
      9827d4aa
  22. 07 Jul, 2011 3 commits
    • kevin.lewis@oracle.com's avatar
      Bug#12637786 was fixed with rb:692 by marko. But that fix has a remaining · e3fab622
      kevin.lewis@oracle.com authored
      bug.  It added this assert;
          ut_ad(ind_field->prefix_len);
      before a section of code that assumes there is a prefix_len.  
      
      The patch replaced code that explicitly avoided this with a check for
      prefix_len.  It turns out that the purge thread can get to that assert
      without a prefix_len because it does not use a row_ext_t* .
      When UNIV_DEBUG is not defined, the affect of this is that the purge thread
      sets the dfield->len to zero and then cannot find the entry in the index to
      purge.  So secondary index entries remain unpurged.
      
      This patch does not do the assert.  Instead, it uses
          'if (ind_field->prefix_len) {...}'
      around the section of code that assumes a prefix_len.  This is the way the
      patch I provided to Marko did it.
      
      The test case is simply modified to do a sleep(10) in order to give the
      purge thread a chance to run. Without the code change to row0row.c, this
      modified testcase will assert if InnoDB was compiled with UNIV_DEBUG.
      I tried to sleep(5), but it did not always assert.
      e3fab622
    • Joerg Bruehe's avatar
      Fix bug#45415: "rpm upgrade recreates test database" · 535855eb
      Joerg Bruehe authored
      Let the creation of the "test" database happen only during a new
      installation, not in an RPM upgrade.
      535855eb
    • Georgi Kodinov's avatar