1. 29 Oct, 2010 3 commits
    • Georgi Kodinov's avatar
      merge to 5.1-security · 5ddd6c07
      Georgi Kodinov authored
      5ddd6c07
    • Sergey Glukhov's avatar
      Bug#57688 Assertion `!table || (!table->write_set || bitmap_is_set(table->write_set, field · e3917c3d
      Sergey Glukhov authored
      Lines below which were added in the patch for Bug#56814 cause this crash:
      
      +      if (table->table)
      +        table->table->maybe_null= FALSE;
      
      Consider following test case:
      --
      CREATE TABLE t1(f1 INT NOT NULL);
      INSERT INTO t1 VALUES (16777214),(0);
      
      SELECT COUNT(*) FROM t1 LEFT JOIN t1 t2
      ON 1 WHERE t2.f1 > 1 GROUP BY t2.f1;
      
      DROP TABLE t1;
      --
      
      We set TABLE::maybe_null to FALSE for t2 table
      and in create_tmp_field() we create appropriate tmp table field
      using create_tmp_field_from_item() function instead of
      create_tmp_field_from_field. As a result we have
      LONGLONG field. As we have GROUP BY clause we calculate
      group buffer length, see calc_group_buffer().
      Item from group list which is used for calculation
      refer to the field from real tables and have LONG type.
      So group buffer length become insufficient for storing of
      LONGLONG value. It leads to overwriting of wrong memory
      area in do_field_int() function which is called from
      end_update().
      After some investigation I found out that
      create_tmp_field_from_item() is used only for OLAP
      grouping and can not be used for common grouping
      as it could be an incompatibility between tmp
      table fields and group buffer length.
      We can not remove create_tmp_field_from_item() call from
      create_tmp_field as OLAP needs it and we can not use this
      function for common grouping. So we should remove setting
      TABLE::maybe_null to FALSE from simplify_joins().
      In this case we'll get wrong behaviour of
      list_contains_unique_index() back. To fix it we
      could use Field::real_maybe_null() check instead of
      Field::maybe_null() and add addition check of
      TABLE_LIST::outer_join.
      e3917c3d
    • Sergey Glukhov's avatar
      Bug#57194 group_concat cause crash and/or invalid memory reads with type errors · 3a61843a
      Sergey Glukhov authored
      The problem is caused by bug49487 fix and became visible
      after after bug56679 fix.
      Items are cleaned up and set to unfixed state after filling derived table.
      So we can not rely on item::fixed state in Item_func_group_concat::print
      and we can not use 'args' array as items there may be cleaned up.
      The fix is always to use orig_args array of items as it
      always should contain the correct data.
      3a61843a
  2. 27 Oct, 2010 1 commit
  3. 25 Oct, 2010 1 commit
  4. 21 Oct, 2010 1 commit
  5. 18 Oct, 2010 2 commits
    • Sergey Glukhov's avatar
      Bug#56814 Explain + subselect + fulltext crashes server · e6472e8f
      Sergey Glukhov authored
      create_sort_index() function overwrites original JOIN_TAB::type field.
      At re-execution of subquery overwritten JOIN_TAB::type(JT_ALL) is
      used instead of JT_FT. It misleads test_if_skip_sort_order() and
      the function tries to find suitable key for the order that should
      not be allowed for FULLTEXT(JT_FT) table.
      The fix is to restore JOIN_TAB strucures for subselect on re-execution
      for EXPLAIN.
      Additional fix:
      Update TABLE::maybe_null field which
      affects list_contains_unique_index() behaviour as it
      could have the value(maybe_null==TRUE) based on the
      assumption that this join is outer
      (see setup_table_map() func).
      e6472e8f
    • Sergey Glukhov's avatar
      Bug#54484 explain + prepared statement: crash and Got error -1 from storage engine · 9a8f22fa
      Sergey Glukhov authored
      Subquery executes twice, at top level JOIN::optimize and ::execute stages.
      At first execution create_sort_index() function is called and
      FT_SELECT object is created and destroyed. HANDLER::ft_handler is cleaned up
      in the object destructor and at second execution FT_SELECT::get_next() method
      returns error.
      The fix is to reinit HANDLER::ft_handler field before re-execution of subquery.
      9a8f22fa
  6. 17 Oct, 2010 2 commits
  7. 15 Oct, 2010 2 commits
  8. 12 Oct, 2010 2 commits
    • Ramil Kalimullin's avatar
      Fix for bug#57283: inet_ntoa() crashes · 9ef7eac2
      Ramil Kalimullin authored
      Problem: some call of INET_NTOA() function may lead 
      to a crash due to missing its character set initialization.
      
      Fix: explicitly set the character set.
      9ef7eac2
    • Ramil Kalimullin's avatar
      Fix for bug#57272: crash in rpad() when using utf8 · 5a2a6c2c
      Ramil Kalimullin authored
      Problem: if multibyte and binary string arguments passed to 
      RPAD(), LPAD() or INSERT() functions, they might return 
      wrong results or even lead to a server crash due to missed
      character set convertion.
      
      Fix: perform the convertion if necessary.
      5a2a6c2c
  9. 11 Oct, 2010 5 commits
  10. 07 Oct, 2010 3 commits
  11. 06 Oct, 2010 2 commits
  12. 05 Oct, 2010 9 commits
  13. 04 Oct, 2010 5 commits
  14. 03 Oct, 2010 2 commits