From 0f5a1e5910d48bb0ef0e21ca8d31a0f7b98f3b4c Mon Sep 17 00:00:00 2001
From: "kaa@polly.local" <>
Date: Mon, 11 Jun 2007 23:06:20 +0400
Subject: [PATCH] Fix for bug #29015 "Stack overflow in processing temporary
 table name when tmpdir path is long"

In create_tmp_table() don't set full table path as a table name. Other code assumes table names to not exceed NAME_LEN bytes.
---
 mysql-test/r/long_tmpdir.result     |  3 +++
 mysql-test/t/long_tmpdir-master.opt |  1 +
 mysql-test/t/long_tmpdir-master.sh  |  3 +++
 mysql-test/t/long_tmpdir.test       |  9 +++++++++
 sql/sql_select.cc                   | 20 ++++++++++++--------
 5 files changed, 28 insertions(+), 8 deletions(-)
 create mode 100644 mysql-test/r/long_tmpdir.result
 create mode 100644 mysql-test/t/long_tmpdir-master.opt
 create mode 100644 mysql-test/t/long_tmpdir-master.sh
 create mode 100644 mysql-test/t/long_tmpdir.test

diff --git a/mysql-test/r/long_tmpdir.result b/mysql-test/r/long_tmpdir.result
new file mode 100644
index 00000000000..7e6dd34ced1
--- /dev/null
+++ b/mysql-test/r/long_tmpdir.result
@@ -0,0 +1,3 @@
+create view v1 as select table_name from information_schema.tables;
+drop view v1;
+End of 5.0 tests
diff --git a/mysql-test/t/long_tmpdir-master.opt b/mysql-test/t/long_tmpdir-master.opt
new file mode 100644
index 00000000000..398abfc4632
--- /dev/null
+++ b/mysql-test/t/long_tmpdir-master.opt
@@ -0,0 +1 @@
+--tmpdir=$MYSQLTEST_VARDIR/tmp/long_temporary_directory_path_123456789_123456789_123456789_123456789_123456789_123456789_123456789_123456789
diff --git a/mysql-test/t/long_tmpdir-master.sh b/mysql-test/t/long_tmpdir-master.sh
new file mode 100644
index 00000000000..318955fbcca
--- /dev/null
+++ b/mysql-test/t/long_tmpdir-master.sh
@@ -0,0 +1,3 @@
+d="$MYSQLTEST_VARDIR/tmp/long_temporary_directory_path_123456789_123456789_123456789_123456789_123456789_123456789_123456789_123456789"
+test -d "$d" || mkdir "$d"
+rm -f "$d"/*
diff --git a/mysql-test/t/long_tmpdir.test b/mysql-test/t/long_tmpdir.test
new file mode 100644
index 00000000000..cf0bed29918
--- /dev/null
+++ b/mysql-test/t/long_tmpdir.test
@@ -0,0 +1,9 @@
+#
+# Bug #29015: Stack overflow in processing temporary table name when tmpdir path
+#             is long
+#
+
+create view v1 as select table_name from information_schema.tables;
+drop view v1;
+
+--echo End of 5.0 tests
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index b7ac2130784..dcffbe250e2 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -9102,7 +9102,7 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
   bool  using_unique_constraint= 0;
   bool  use_packed_rows= 0;
   bool  not_all_columns= !(select_options & TMP_TABLE_ALL_COLUMNS);
-  char	*tmpname,path[FN_REFLEN];
+  char	*tmpname, *tmppath, path[FN_REFLEN], table_name[NAME_LEN+1];
   byte	*pos,*group_buff;
   uchar *null_flags;
   Field **reg_field, **from_field, **default_field;
@@ -9125,12 +9125,12 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
     temp_pool_slot = bitmap_set_next(&temp_pool);
 
   if (temp_pool_slot != MY_BIT_NONE) // we got a slot
-    sprintf(path, "%s_%lx_%i", tmp_file_prefix,
-	    current_pid, temp_pool_slot);
+    sprintf(table_name, "%s_%lx_%i", tmp_file_prefix,
+            current_pid, temp_pool_slot);
   else
   {
     /* if we run out of slots or we are not using tempool */
-    sprintf(path,"%s%lx_%lx_%x", tmp_file_prefix,current_pid,
+    sprintf(table_name, "%s%lx_%lx_%x", tmp_file_prefix,current_pid,
             thd->thread_id, thd->tmp_table++);
   }
 
@@ -9138,7 +9138,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
     No need to change table name to lower case as we are only creating
     MyISAM or HEAP tables here
   */
-  fn_format(path, path, mysql_tmpdir, "", MY_REPLACE_EXT|MY_UNPACK_FILENAME);
+  fn_format(path, table_name, mysql_tmpdir, "",
+            MY_REPLACE_EXT|MY_UNPACK_FILENAME);
 
   if (group)
   {
@@ -9183,7 +9184,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
                         sizeof(*key_part_info)*(param->group_parts+1),
                         &param->start_recinfo,
                         sizeof(*param->recinfo)*(field_count*2+4),
-                        &tmpname, (uint) strlen(path)+1,
+                        &tmppath, (uint) strlen(path)+1,
+                        &tmpname, (uint) strlen(table_name)+1,
                         &group_buff, group && ! using_unique_constraint ?
                         param->group_length : 0,
                         NullS))
@@ -9201,7 +9203,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
     DBUG_RETURN(NULL);				/* purecov: inspected */
   }
   param->items_to_copy= copy_func;
-  strmov(tmpname,path);
+  strmov(tmppath, path);
+  strmov(tmpname, table_name);
   /* make table according to fields */
 
   bzero((char*) table,sizeof(*table));
@@ -9227,7 +9230,8 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List<Item> &fields,
 
   table->s= &table->share_not_to_be_used;
   table->s->blob_field= blob_field;
-  table->s->table_name= table->s->path= tmpname;
+  table->s->table_name= tmpname;
+  table->s->path= tmppath;
   table->s->db= "";
   table->s->blob_ptr_size= mi_portable_sizeof_char_ptr;
   table->s->tmp_table= NON_TRANSACTIONAL_TMP_TABLE;