From b34d3728dd8f5e85a0f6f531556bd8b23cd4792a Mon Sep 17 00:00:00 2001
From: Nisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com>
Date: Mon, 28 Apr 2014 16:28:09 +0530
Subject: [PATCH] BUG#17994219: CREATE TABLE .. SELECT PRODUCES INVALID
 STRUCTURE,               BREAKS RBR

Analysis:
--------
A table created using a query of the format:
CREATE TABLE t1 AS SELECT REPEAT('A',1000) DIV 1 AS a;
breaks the Row Based Replication.

The query above creates a table having a field of datatype
'bigint' with a display width of 3000 which is beyond the
maximum acceptable value of 255.

In the RBR mode, CREATE TABLE SELECT statement is
replicated as a combination of CREATE TABLE statement
equivalent to one the returned by SHOW CREATE TABLE and
row events for rows inserted. When this CREATE TABLE event
is executed on the slave, an error is reported:
Display width out of range for column 'a' (max = 255)

The following is the output of 'SHOW CREATE TABLE t1':
CREATE TABLE t1(`a` bigint(3000) DEFAULT NULL)
                  ENGINE=InnoDB DEFAULT CHARSET=latin1;

The problem is due to the combination of two facts:

1) The above CREATE TABLE SELECT statement uses the display
   width of the result of DIV operation as the display width
   of the column created without validating the width for out
   of bound condition.
2) The DIV operation incorrectly returns the length of its first
   argument as the display width of its result; thus allowing
   creation of a table with an incorrect display width of 3000
   for the field.

Fix:
----
This fix changes the DIV operation implementation to correctly
evaluate the display width of its result. We check if DIV's
results estimated width crosses maximum width for integer
value (21) and if yes set it to this maximum value.

This patch also fixes fixes maximum display width evaluation
for DIV function when its first argument is in UCS2.
---
 .../suite/rpl/r/rpl_row_create_select.result  | 28 +++++++++++++++++++
 .../suite/rpl/t/rpl_row_create_select.test    | 28 +++++++++++++++++++
 sql/item_func.cc                              | 10 ++++---
 3 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 mysql-test/suite/rpl/r/rpl_row_create_select.result
 create mode 100644 mysql-test/suite/rpl/t/rpl_row_create_select.test

diff --git a/mysql-test/suite/rpl/r/rpl_row_create_select.result b/mysql-test/suite/rpl/r/rpl_row_create_select.result
new file mode 100644
index 00000000000..719bfae3f0c
--- /dev/null
+++ b/mysql-test/suite/rpl/r/rpl_row_create_select.result
@@ -0,0 +1,28 @@
+include/master-slave.inc
+[connection master]
+#
+# BUG#17994219: CREATE TABLE .. SELECT PRODUCES INVALID STRUCTURE, 
+#               BREAKS RBR 
+#
+#After the patch, the display width is set to a default
+#value of 21.
+CREATE TABLE t1 AS SELECT REPEAT('A', 1000) DIV 1 AS a;
+Warnings:
+Warning	1366	Incorrect decimal value: '' for column '' at row -1
+SHOW CREATE TABLE t1;
+Table	Create Table
+t1	CREATE TABLE `t1` (
+  `a` bigint(21) DEFAULT NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1
+CREATE TABLE t2 AS SELECT CONVERT(REPEAT('A', 255) USING UCS2) DIV 1 AS a;
+Warnings:
+Warning	1366	Incorrect decimal value: '' for column '' at row -1
+SHOW CREATE TABLE t2;
+Table	Create Table
+t2	CREATE TABLE `t2` (
+  `a` bigint(21) DEFAULT NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1
+#After the patch, no error is reported.
+DROP TABLE t1;
+DROP TABLE t2;
+include/rpl_end.inc
diff --git a/mysql-test/suite/rpl/t/rpl_row_create_select.test b/mysql-test/suite/rpl/t/rpl_row_create_select.test
new file mode 100644
index 00000000000..ca270e92d0c
--- /dev/null
+++ b/mysql-test/suite/rpl/t/rpl_row_create_select.test
@@ -0,0 +1,28 @@
+# Testing table creations for row-based replication.
+
+--source include/have_binlog_format_row.inc
+--source include/master-slave.inc
+
+--echo #
+--echo # BUG#17994219: CREATE TABLE .. SELECT PRODUCES INVALID STRUCTURE, 
+--echo #               BREAKS RBR 
+--echo #
+
+connection master;
+--echo #After the patch, the display width is set to a default
+--echo #value of 21.
+CREATE TABLE t1 AS SELECT REPEAT('A', 1000) DIV 1 AS a;
+SHOW CREATE TABLE t1;
+
+CREATE TABLE t2 AS SELECT CONVERT(REPEAT('A', 255) USING UCS2) DIV 1 AS a;
+SHOW CREATE TABLE t2;
+
+--echo #After the patch, no error is reported.
+sync_slave_with_master;
+
+connection master;
+DROP TABLE t1;
+DROP TABLE t2;
+
+--source include/rpl_end.inc
+
diff --git a/sql/item_func.cc b/sql/item_func.cc
index 39c05d63150..3e3079f317f 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1649,9 +1649,11 @@ void Item_func_int_div::fix_length_and_dec()
 {
   Item_result argtype= args[0]->result_type();
   /* use precision ony for the data type it is applicable for and valid */
-  max_length=args[0]->max_length -
-    (argtype == DECIMAL_RESULT || argtype == INT_RESULT ?
-     args[0]->decimals : 0);
+  uint32 char_length= args[0]->max_char_length() -
+                      (argtype == DECIMAL_RESULT || argtype == INT_RESULT ?
+                       args[0]->decimals : 0);
+  fix_char_length(char_length > MY_INT64_NUM_DECIMAL_DIGITS ?
+                  MY_INT64_NUM_DECIMAL_DIGITS : char_length);
   maybe_null=1;
   unsigned_flag=args[0]->unsigned_flag | args[1]->unsigned_flag;
 }