From 04fd2f18cb9de58d62ec6c860f586b9f81a95300 Mon Sep 17 00:00:00 2001
From: unknown <sanja@montyprogram.com>
Date: Thu, 1 Aug 2013 11:46:11 +0300
Subject: [PATCH 1/2] MDEV-4811 Assertion `offset < 0x1f' fails in
 type_and_offset_store on COLUMN_ADD MDEV-4812 Valgrind warnings (Invalid
 write) in dynamic_column_update_many on COLUMN_ADD

Fixed problem of working on wrong data (do not allow offset to out of string length).
---
 mysql-test/r/dyncol.result | 21 +++++++++++++++++++++
 mysql-test/t/dyncol.test   | 23 +++++++++++++++++++++++
 mysys/ma_dyncol.c          | 27 ++++++++++++++++++---------
 3 files changed, 62 insertions(+), 9 deletions(-)

diff --git a/mysql-test/r/dyncol.result b/mysql-test/r/dyncol.result
index 6b1dd4d96ec..1b06bd06162 100644
--- a/mysql-test/r/dyncol.result
+++ b/mysql-test/r/dyncol.result
@@ -1404,5 +1404,26 @@ v1	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VI
 drop view v1;
 drop table t1;
 #
+# MDEV-4811: Assertion `offset < 0x1f' fails in type_and_offset_store 
+# on COLUMN_ADD
+#
+CREATE TABLE t1 (dyn TINYBLOB) ENGINE=MyISAM;
+INSERT INTO t1 SET dyn = COLUMN_CREATE( 40, REPEAT('a', 233), 4, REPEAT('b', 322) );
+Warnings:
+Warning	1265	Data truncated for column 'dyn' at row 1
+SELECT COLUMN_ADD( dyn, 6, REPEAT('x',80), 4, REPEAT('y',215) AS INTEGER ) FROM t1;
+ERROR HY000: Encountered illegal format of dynamic column string
+DROP table t1;
+#
+# MDEV-4812: Valgrind warnings (Invalid write) in
+# dynamic_column_update_many on COLUMN_ADD
+#
+CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM;
+INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) );
+Warnings:
+Warning	1265	Data truncated for column 'dyncol' at row 1
+SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1;
+DROP table t1;
+#
 # end of 5.3 tests
 #
diff --git a/mysql-test/t/dyncol.test b/mysql-test/t/dyncol.test
index ca3ff600509..914bf9151b3 100644
--- a/mysql-test/t/dyncol.test
+++ b/mysql-test/t/dyncol.test
@@ -599,6 +599,29 @@ drop view v1;
 
 drop table t1;
 
+--echo #
+--echo # MDEV-4811: Assertion `offset < 0x1f' fails in type_and_offset_store 
+--echo # on COLUMN_ADD
+--echo #
+
+CREATE TABLE t1 (dyn TINYBLOB) ENGINE=MyISAM;
+INSERT INTO t1 SET dyn = COLUMN_CREATE( 40, REPEAT('a', 233), 4, REPEAT('b', 322) );
+--error ER_DYN_COL_WRONG_FORMAT
+SELECT COLUMN_ADD( dyn, 6, REPEAT('x',80), 4, REPEAT('y',215) AS INTEGER ) FROM t1;
+
+DROP table t1;
+
+--echo #
+--echo # MDEV-4812: Valgrind warnings (Invalid write) in
+--echo # dynamic_column_update_many on COLUMN_ADD
+--echo #
+CREATE TABLE t1 (dyncol TINYBLOB) ENGINE=MyISAM;
+
+INSERT INTO t1 SET dyncol = COLUMN_CREATE( 7, REPEAT('k',487), 209, REPEAT('x',464) );
+--error 0,ER_DYN_COL_WRONG_FORMAT
+SELECT COLUMN_ADD( dyncol, 7, '22:22:22', 8, REPEAT('x',270) AS CHAR ) FROM t1;
+DROP table t1;
+
 --echo #
 --echo # end of 5.3 tests
 --echo #
diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
index 03d9007c7cb..f01d69f0b25 100644
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -1228,13 +1228,14 @@ dynamic_column_create(DYNAMIC_COLUMN *str, uint column_nr,
   @param header_end      Pointer to the header end
   @param offset_size     Size of offset field in bytes
   @param last_offset     Size of the data segment
+  @param error           Set in case of error
 
   @return number of bytes
 */
 
 static size_t get_length_interval(uchar *entry, uchar *entry_next,
                                   uchar *header_end, size_t offset_size,
-                                  size_t last_offset)
+                                  size_t last_offset, my_bool *error)
 {
   size_t offset, offset_next;
   DYNAMIC_COLUMN_TYPE type, type_next;
@@ -1242,8 +1243,12 @@ static size_t get_length_interval(uchar *entry, uchar *entry_next,
 
   type_and_offset_read(&type, &offset, entry, offset_size);
   if (entry_next >= header_end)
+  {
+    *error= 0;
     return (last_offset - offset);
+  }
   type_and_offset_read(&type_next, &offset_next, entry_next, offset_size);
+  *error= (offset_next > last_offset);
   return (offset_next - offset);
 }
 
@@ -1255,17 +1260,18 @@ static size_t get_length_interval(uchar *entry, uchar *entry_next,
   @param header_end      Pointer to the header end
   @param offset_size     Size of offset field in bytes
   @param last_offset     Size of the data segment
+  @param error           Set in case of error
 
   @return number of bytes
 */
 
 static size_t get_length(uchar *entry, uchar *header_end,
                          size_t offset_size,
-                         size_t last_offset)
+                         size_t last_offset, my_bool *error)
 {
   return get_length_interval(entry,
                              entry + offset_size + COLUMN_NUMBER_SIZE,
-                             header_end, offset_size, last_offset);
+                             header_end, offset_size, last_offset, error);
 }
 
 
@@ -1304,6 +1310,7 @@ find_column(DYNAMIC_COLUMN_TYPE *type, uchar **data, size_t *length,
   uchar *entry;
   size_t offset, total_data, header_size, entry_size;
   uchar key[2+4];
+  my_bool error;
 
   if (!entry_pos)
     entry_pos= &entry;
@@ -1329,12 +1336,12 @@ find_column(DYNAMIC_COLUMN_TYPE *type, uchar **data, size_t *length,
     return 1;
   *data= header + header_size + offset;
   *length= get_length(entry, header + header_size, offset_size,
-                      total_data);
+                      total_data, &error);
   /*
     Check that the found data is withing the ranges. This can happen if
     we get data with wrong offsets.
   */
-  if ((long) *length < 0 || offset + *length > total_data)
+  if (error || (long) *length < 0 || offset + *length > total_data)
     return 1;
 
   *entry_pos= entry;
@@ -1837,12 +1844,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
                    entry_size, column_count, &entry))
     {
       size_t entry_data_size;
+      my_bool error;
 
       /* Data existed; We have to replace or delete it */
 
       entry_data_size= get_length(entry, header_end,
-                                  offset_size, max_offset);
-      if ((long) entry_data_size < 0)
+                                  offset_size, max_offset, &error);
+      if (error || (long) entry_data_size < 0)
       {
         rc= ER_DYNCOL_FORMAT;
         goto end;
@@ -2038,12 +2046,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
       /* copy first the data that was not replaced in original packed data */
       if (start < end)
       {
+        my_bool error;
         /* Add old data last in 'tmp' */
         size_t data_size=
           get_length_interval(header_base + start * entry_size,
                               header_base + end * entry_size,
-                              header_end, offset_size, max_offset);
-        if ((long) data_size < 0 ||
+                              header_end, offset_size, max_offset, &error);
+        if (error || (long) data_size < 0 ||
             data_size > max_offset - first_offset)
         {
           dynamic_column_column_free(&tmp);

From f1b4718ec894664df221704bb70fed80bdc14070 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.org>
Date: Mon, 12 Aug 2013 16:47:59 +0400
Subject: [PATCH 2/2] MDEV-4652 Wrong result for
 CONCAT(GREATEST(TIME('00:00:01'),TIME('00:00:00'))

---
 mysql-test/r/type_time.result | 9 +++++++++
 mysql-test/t/type_time.test   | 6 ++++++
 sql/item.cc                   | 3 ++-
 sql/item_func.cc              | 7 +++++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/type_time.result b/mysql-test/r/type_time.result
index 5a047f32062..23943c3c848 100644
--- a/mysql-test/r/type_time.result
+++ b/mysql-test/r/type_time.result
@@ -182,5 +182,14 @@ NULL
 Warnings:
 Warning	1292	Incorrect datetime value: '0000-00-00 00:00:00'
 #
+# MDEV-4652 Wrong result for CONCAT(GREATEST(TIME('00:00:01'),TIME('00:00:00')))
+#
+SELECT CONCAT(GREATEST(TIME('00:00:01'),TIME('00:00:00')));
+CONCAT(GREATEST(TIME('00:00:01'),TIME('00:00:00')))
+00:00:01.000000
+SELECT CONCAT(GREATEST(TIME('32 00:00:01'),TIME('00:00:00')));
+CONCAT(GREATEST(TIME('32 00:00:01'),TIME('00:00:00')))
+768:00:01.000000
+#
 # End of 5.3 tests
 #
diff --git a/mysql-test/t/type_time.test b/mysql-test/t/type_time.test
index 26d77ad378e..1c0ba75e274 100644
--- a/mysql-test/t/type_time.test
+++ b/mysql-test/t/type_time.test
@@ -128,6 +128,12 @@ drop table t1;
 --echo #
 SELECT CONVERT_TZ(GREATEST(TIME('00:00:00'),TIME('00:00:00')),'+00:00','+7:5');
 
+--echo #
+--echo # MDEV-4652 Wrong result for CONCAT(GREATEST(TIME('00:00:01'),TIME('00:00:00')))
+--echo #
+SELECT CONCAT(GREATEST(TIME('00:00:01'),TIME('00:00:00')));
+SELECT CONCAT(GREATEST(TIME('32 00:00:01'),TIME('00:00:00')));
+
 --echo #
 --echo # End of 5.3 tests
 --echo #
diff --git a/sql/item.cc b/sql/item.cc
index f5687f18cb3..1383500b007 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -252,7 +252,8 @@ String *Item::val_string_from_decimal(String *str)
 String *Item::val_string_from_date(String *str)
 {
   MYSQL_TIME ltime;
-  if (get_date(&ltime, 0) ||
+  if (get_date(&ltime,
+               field_type() == MYSQL_TYPE_TIME ? TIME_TIME_ONLY : 0) ||
       str->alloc(MAX_DATE_STRING_REP_LENGTH))
   {
     null_value= 1;
diff --git a/sql/item_func.cc b/sql/item_func.cc
index e1a2bd44c34..9079de6f06e 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -2480,6 +2480,13 @@ bool Item_func_min_max::get_date(MYSQL_TIME *ltime, uint fuzzy_date)
     ltime->time_type= MYSQL_TIMESTAMP_DATE;
     ltime->hour= ltime->minute= ltime->second= ltime->second_part= 0;
   }
+  else if (compare_as_dates->field_type() == MYSQL_TYPE_TIME)
+  {
+    ltime->time_type= MYSQL_TIMESTAMP_TIME;
+    ltime->hour+= (ltime->month * 32 + ltime->day) * 24;
+    ltime->month= ltime->day= 0;
+  }
+
 
   return 0;
 }