1. 19 Oct, 2011 1 commit
  2. 14 Oct, 2011 2 commits
    • Tor Didriksen's avatar
      merge 5.0-security => 5.1 security · 5dc553cd
      Tor Didriksen authored
      5dc553cd
    • Tor Didriksen's avatar
      Bug#12563865 ROUNDED,TMP_BUF,DECIMAL_VALUE STACK CORRUPTION IN ALL VERSIONS >=5.0 · a6145f4b
      Tor Didriksen authored
      Buffer over-run on all platforms, crash on windows, wrong result on other platforms,
      when rounding numbers which start with 999999999 and have
      precision = 9 or 18 or 27 or 36 ...
      
      
      mysql-test/r/type_newdecimal.result:
        New test cases.
      mysql-test/t/type_newdecimal.test:
        New test cases.
      sql/my_decimal.h:
        Add sanity checking code, to catch buffer over/under-run.
      strings/decimal.c:
        The original initialization of intg1 (add 1 if buf[0] == DIG_MAX)
        will set p1 to point outside the buffer, and the loop to copy the original value
            while (buf0 < p0)
              *(--p1) = *(--p0);
        will overwrite memory outside the my_decimal object.
      a6145f4b
  3. 12 Oct, 2011 4 commits
  4. 10 Oct, 2011 1 commit
  5. 07 Oct, 2011 1 commit
    • Magne Mahre's avatar
      BUG#12589870 CRASHES WITH MULTIQUERY PACKET + USE<DB> + QUERY CACHE · f36e854a
      Magne Mahre authored
       
      A buffer large enough to hold the query _plus_ some additional
      data is allocated before parsing is started.   The additional data 
      is used by the query cache, and consists of the name of the current 
      database and a set of flags.
       
      When a packet containing multiple SQL statements is sent to the
      server and one of the statements changes the current database
      (a "USE <db>" statement), and the name of the new current database 
      is longer than of the previous,  there is not enough space in the 
      buffer for the new name, and we write out over the buffer boundary.
      
      The fix adds an extra field to store the number of bytes
      allocated to the database name in the buffer.  If the current
      database name changes, and the new name is longer than the
      previous one, we refuse to cache the query.
      f36e854a
  6. 06 Oct, 2011 2 commits
  7. 05 Oct, 2011 4 commits
    • Bjorn Munch's avatar
      merge 5.1-mtr => 5.1 · b84202db
      Bjorn Munch authored
      b84202db
    • Sergey Glukhov's avatar
      automerge · 44145ce6
      Sergey Glukhov authored
      44145ce6
    • Sergey Glukhov's avatar
      Bug#11747970 34660: CRASH WHEN FEDERATED TABLE LOSES CONNECTION DURING INSERT ... SELECT · 14dc91ff
      Sergey Glukhov authored
      Problematic query:
      insert ignore into `t1_federated` (`c1`) select `c1` from  `t1_local` a
      where not exists (select 1 from `t1_federated` b where a.c1 = b.c1);
      When this query is killed in another connection it could lead to crash.
      The problem is follwing:
      An attempt to obtain table statistics for subselect table in killed query
      fails with an error. So JOIN::optimize() for subquery is failed but
      it does not prevent further subquery evaluation.
      At the first subquery execution JOIN::optimize() is called
      (see subselect_single_select_engine::exec()) and fails with
      an error. 'executed' flag is set to TRUE and it prevents
      further subquery evaluation. At the second call
      JOIN::optimize() does not happen as 'JOIN::optimized' is TRUE
      and in case of uncacheable subquery the 'executed' flag is set
      to FALSE before subquery evaluation. So we loose 'optimize stage'
      error indication (see subselect_single_select_engine::exec()).
      In other words 'executed' flag is used for two purposes, for
      error indication at JOIN::optimize() stage and for an
      indication of subquery execution. And it seems it's wrong
      as the flag could be reset.
      
      
      mysql-test/r/error_simulation.result:
        test case
      mysql-test/t/error_simulation.test:
        test case
      sql/item_subselect.cc:
        added new flag subselect_single_select_engine::optimize_error
        which is used for error detection which could happen at optimize
        stage.
      sql/item_subselect.h:
        added new flag subselect_single_select_engine::optimize_error
      sql/sql_select.cc:
        test case
      14dc91ff
    • Marko Mäkelä's avatar
      Add InnoDB UNIV_SYNC_DEBUG assertions to rw-lock code. · 16c91952
      Marko Mäkelä authored
      rw_lock_x_lock_func(): Assert that the thread is not already holding
      the lock in a conflicting mode (RW_LOCK_SHARED).
      
      rw_lock_s_lock_func(): Assert that the thread is not already holding
      the lock in a conflicting mode (RW_LOCK_EX).
      16c91952
  8. 04 Oct, 2011 5 commits
  9. 03 Oct, 2011 1 commit
  10. 29 Sep, 2011 2 commits
    • Tatjana Azundris Nuernberg's avatar
      manual merge · 7944320f
      Tatjana Azundris Nuernberg authored
      7944320f
    • Tatjana Azundris Nuernberg's avatar
      Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows /... · 8932ae21
      Tatjana Azundris Nuernberg authored
      Bug#11765687 (MySQL58677): No privilege on table / view, but can know #rows / underlying table's name
      
      1 - If a user had SHOW VIEW and SELECT privileges on a view and
      this view was referencing another view, EXPLAIN SELECT on the outer
      view (that the user had privileges on) could reveal the structure
      of the underlying "inner" view as well as the number of rows in
      the underlying tables, even if the user had privileges on none of
      these referenced objects.
      
      This happened because we used DEFINER's UID ("SUID") not just for
      the view given in EXPLAIN, but also when checking privileges on
      the underlying views (where we should use the UID of the EXPLAIN's
      INVOKER instead).
      
      We no longer run the EXPLAIN SUID (with DEFINER's privileges).
      This prevents a possible exploit and makes permissions more
      orthogonal.
      
      2 - EXPLAIN SELECT would reveal a view's structure even if the user
      did not have SHOW VIEW privileges for that view, as long as they
      had SELECT privilege on the underlying tables.
      
      Instead of requiring both SHOW VIEW privilege on a view and SELECT
      privilege on all underlying tables, we were checking for presence
      of either of them.
      
      We now explicitly require SHOW VIEW and SELECT privileges on
      the view we run EXPLAIN SELECT on, as well as all its
      underlying views. We also require SELECT on all relevant
      tables. 
      
      
      mysql-test/r/view_grant.result:
        add extensive tests to illustrate desired behavior and
        prevent regressions (as always).
      mysql-test/t/view_grant.test:
        add extensive tests to illustrate desired behavior and
        prevent regressions (as always).
      sql/sql_view.cc:
        We no longer run the EXPLAIN SUID (with DEFINER's privileges).
        To achieve this, we use a temporary, SUID-less TABLE_LIST for
        the views while checking privileges.
      8932ae21
  11. 28 Sep, 2011 1 commit
    • Raghav Kapoor's avatar
      BUG#11758062 - 50206: ER_TOO_BIG_SELECT REFERS TO OUTMODED · ffd0a785
      Raghav Kapoor authored
      SYSTEM VARIABLE NAME SQL_MAX_JOIN_SI 
      
      BACKGROUND:
      
      ER_TOO_BIG_SELECT refers to SQL_MAX_JOIN_SIZE, which is the
      old name for MAX_JOIN_SIZE.
      
      FIX:
      
      Support for old name SQL_MAX_JOIN_SIZE is removed in MySQL 5.6
      and is renamed as MAX_JOIN_SIZE.So the errmsg.txt 
      and mysql.cc files have been updated and the corresponding result
      files have also been updated.
      ffd0a785
  12. 27 Sep, 2011 2 commits
  13. 26 Sep, 2011 2 commits
  14. 22 Sep, 2011 2 commits
    • Alexander Nozdrin's avatar
      Fix for Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES ARE RUN CONCURRENTLY. · 1922d65f
      Alexander Nozdrin authored
      The main problem was that lex_start() was forgotten to be called before processing
      COM_REFRESH.
      
      Another problem discovered was that if failures to flush the error log were not properly
      handled, which resulted in the server crash.
      
      The user-visible effect of these problems were:
        - if COM_REFRESH command was sent after SQL-queries of some sort,
          the server would crash.
        - if COM_REFRESH was requested with REFRESH_LOG only, and the error log
          failed to flush, the server would crash. The error log fails to flush
          when it points to unavailable file (for example, due to restricted
          permissions).
      
      The fixes are:
        - call lex_start() in the beginning of COM_REFRESH;
        - handle failures to flush the error log properly, i.e. raise ER_UNKNOWN_ERROR.
      
      sql/sql_parse.cc:
        Fix for Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES ARE RUN CONCURRENTLY.
      tests/mysql_client_test.c:
        A test case for Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES
        ARE RUN CONCURRENTLY.
      1922d65f
    • Marko Mäkelä's avatar
      Bug#12963823 CRASH IN PURGE THREAD UNDER UNUSUAL CIRCUMSTANCES · 7f729cfa
      Marko Mäkelä authored
      Replace part of the patch that Kevin apparently forgot to push.
      Fix the bug also in the built-in InnoDB of MySQL 5.1.
      
      I cannot explain why the test case was not failing without the
      full patch.
      
      This was rb:762, approved by me.
      7f729cfa
  15. 21 Sep, 2011 1 commit
    • unknown's avatar
      Bug 12963823 - Crash in Purge thread under unusual circumstances. · 265737d1
      unknown authored
      The problem occurred when indexes are added between the time that an
      UNDO record is created and the time that the purge thread comes around
      and deletes the old secondary index entries.  The purge thread would
      hit an assert when trying to build a secondary index entry for
      searching.  The problem was that the old value of those fields were not
      in the UNDO record since they were not part of an index when the UPDATE
      occured. 
      A test case was added to innodb-index.test.
      265737d1
  16. 20 Sep, 2011 1 commit
  17. 19 Sep, 2011 1 commit
  18. 16 Sep, 2011 2 commits
    • Sergey Vojtovich's avatar
      Merge. · a33b4214
      Sergey Vojtovich authored
      a33b4214
    • Sergey Vojtovich's avatar
      BUG#11761180 - 53646: MYISAMPACK CORRUPTS TABLES WITH · 3f9cbd77
      Sergey Vojtovich authored
                     FULLTEXT INDEXES
      
      myisamchk may create incorrect fulltext index for compressed
      tables. Incorrect data pointer size was used while creating
      fulltext index.
      
      mysql-test/r/myisampack.result:
        A test case for BUG#11761180.
      mysql-test/t/myisampack.test:
        A test case for BUG#11761180.
      storage/myisam/ft_boolean_search.c:
        rec_reflength on share may have adjustments required for
        compressed tables and must be used instead of rec_reflength
        on base info.
      storage/myisam/ft_nlq_search.c:
        rec_reflength on share may have adjustments required for
        compressed tables and must be used instead of rec_reflength
        on base info.
      storage/myisam/mi_check.c:
        rec_reflength on share may have adjustments required for
        compressed tables and must be used instead of rec_reflength
        on base info.
      storage/myisam/mi_write.c:
        rec_reflength on share may have adjustments required for
        compressed tables and must be used instead of rec_reflength
        on base info.
      3f9cbd77
  19. 15 Sep, 2011 3 commits
  20. 14 Sep, 2011 2 commits