From b01a4ceb565a1077ee93682f166e6a0420099486 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 3 Nov 2010 14:02:15 +0100 Subject: [PATCH 1/4] Raise version number after cloning 5.1.53 --- configure.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.in b/configure.in index b7cd3585789..7fd581af009 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ dnl dnl When changing the major version number please also check the switch dnl statement in mysqlbinlog::check_master_version(). You may also need dnl to update version.c in ndb. -AC_INIT([MySQL Server], [5.1.53], [], [mysql]) +AC_INIT([MySQL Server], [5.1.54], [], [mysql]) AC_CONFIG_SRCDIR([sql/mysqld.cc]) AC_CANONICAL_SYSTEM From 0a29baba4bae36b947aba9001956f3c800f4205f Mon Sep 17 00:00:00 2001 From: Sergey Glukhov Date: Mon, 8 Nov 2010 13:34:27 +0300 Subject: [PATCH 2/4] Fix for bug #54575: crash when joining tables with unique set column(backport from 5.1) Problem: a flaw (derefencing a NULL pointer) in the LIKE optimization code may lead to a server crash in some rare cases. Fix: check the pointer before its dereferencing. mysql-test/r/func_like.result: Fix for bug #54575: crash when joining tables with unique set column - test result. mysql-test/t/func_like.test: Fix for bug #54575: crash when joining tables with unique set column - test case. sql/item_cmpfunc.cc: Fix for bug #54575: crash when joining tables with unique set column - check res2 buffer pointer before its dereferencing as it may be NULL in some cases. --- mysql-test/r/func_like.result | 14 ++++++++++++++ mysql-test/t/func_like.test | 18 ++++++++++++++++-- sql/item_cmpfunc.cc | 7 ++++--- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/mysql-test/r/func_like.result b/mysql-test/r/func_like.result index 7e6fedb9403..f8743d6305f 100644 --- a/mysql-test/r/func_like.result +++ b/mysql-test/r/func_like.result @@ -165,3 +165,17 @@ select 'andre%' like 'andre select _cp1251'andre%' like convert('andreÊ%' using cp1251) escape 'Ê'; _cp1251'andre%' like convert('andreÊ%' using cp1251) escape 'Ê' 1 +End of 4.1 tests +# +# Bug #54575: crash when joining tables with unique set column +# +CREATE TABLE t1(a SET('a') NOT NULL, UNIQUE KEY(a)); +CREATE TABLE t2(b INT PRIMARY KEY); +INSERT INTO t1 VALUES (); +Warnings: +Warning 1364 Field 'a' doesn't have a default value +INSERT INTO t2 VALUES (1), (2), (3); +SELECT 1 FROM t2 JOIN t1 ON 1 LIKE a GROUP BY a; +1 +DROP TABLE t1, t2; +End of 5.1 tests diff --git a/mysql-test/t/func_like.test b/mysql-test/t/func_like.test index 4e1183afeff..50ebb2b2782 100644 --- a/mysql-test/t/func_like.test +++ b/mysql-test/t/func_like.test @@ -112,5 +112,19 @@ select 'andre%' like 'andre # select _cp1251'andre%' like convert('andreÊ%' using cp1251) escape 'Ê'; -# -# End of 4.1 tests + +--echo End of 4.1 tests + + +--echo # +--echo # Bug #54575: crash when joining tables with unique set column +--echo # +CREATE TABLE t1(a SET('a') NOT NULL, UNIQUE KEY(a)); +CREATE TABLE t2(b INT PRIMARY KEY); +INSERT INTO t1 VALUES (); +INSERT INTO t2 VALUES (1), (2), (3); +SELECT 1 FROM t2 JOIN t1 ON 1 LIKE a GROUP BY a; +DROP TABLE t1, t2; + + +--echo End of 5.1 tests diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc index 5c2fb9857d5..4ae381af683 100644 --- a/sql/item_cmpfunc.cc +++ b/sql/item_cmpfunc.cc @@ -4220,13 +4220,14 @@ Item_func::optimize_type Item_func_like::select_optimize() const if (args[1]->const_item()) { String* res2= args[1]->val_str((String *)&tmp_value2); + const char *ptr2; - if (!res2) + if (!res2 || !(ptr2= res2->ptr())) return OPTIMIZE_NONE; - if (*res2->ptr() != wild_many) + if (*ptr2 != wild_many) { - if (args[0]->result_type() != STRING_RESULT || *res2->ptr() != wild_one) + if (args[0]->result_type() != STRING_RESULT || *ptr2 != wild_one) return OPTIMIZE_OP; } } From 50a3c55ee7e378b36bca5940e382fb18674dbd9b Mon Sep 17 00:00:00 2001 From: Sergey Glukhov Date: Mon, 8 Nov 2010 13:51:39 +0300 Subject: [PATCH 3/4] Bug#52711 Segfault when doing EXPLAIN SELECT with union...order by (select... where...) backport from 5.1 mysql-test/r/subselect.result: backport from 5.1 mysql-test/t/subselect.test: backport from 5.1 sql/sql_select.cc: backport from 5.1 --- mysql-test/r/subselect.result | 16 ++++++++++++++++ mysql-test/t/subselect.test | 21 +++++++++++++++++++++ sql/sql_select.cc | 5 +++-- 3 files changed, 40 insertions(+), 2 deletions(-) diff --git a/mysql-test/r/subselect.result b/mysql-test/r/subselect.result index 09a650c722b..7fbe4c08b08 100644 --- a/mysql-test/r/subselect.result +++ b/mysql-test/r/subselect.result @@ -4527,4 +4527,20 @@ pk int_key 3 3 7 3 DROP TABLE t1,t2; +# +# Bug #52711: Segfault when doing EXPLAIN SELECT with +# union...order by (select... where...) +# +CREATE TABLE t1 (a VARCHAR(10), FULLTEXT KEY a (a)); +INSERT INTO t1 VALUES (1),(2); +CREATE TABLE t2 (b INT); +INSERT INTO t2 VALUES (1),(2); +# Should not crash +EXPLAIN +SELECT * FROM t2 UNION SELECT * FROM t2 +ORDER BY (SELECT * FROM t1 WHERE MATCH(a) AGAINST ('+abc' IN BOOLEAN MODE)); +# Should not crash +SELECT * FROM t2 UNION SELECT * FROM t2 +ORDER BY (SELECT * FROM t1 WHERE MATCH(a) AGAINST ('+abc' IN BOOLEAN MODE)); +DROP TABLE t1,t2; End of 5.0 tests. diff --git a/mysql-test/t/subselect.test b/mysql-test/t/subselect.test index bd12742f0f1..0956f91619d 100644 --- a/mysql-test/t/subselect.test +++ b/mysql-test/t/subselect.test @@ -3506,5 +3506,26 @@ ORDER BY outr.pk; DROP TABLE t1,t2; +--echo # +--echo # Bug #52711: Segfault when doing EXPLAIN SELECT with +--echo # union...order by (select... where...) +--echo # + +CREATE TABLE t1 (a VARCHAR(10), FULLTEXT KEY a (a)); +INSERT INTO t1 VALUES (1),(2); +CREATE TABLE t2 (b INT); +INSERT INTO t2 VALUES (1),(2); + +--echo # Should not crash +--disable_result_log +EXPLAIN +SELECT * FROM t2 UNION SELECT * FROM t2 + ORDER BY (SELECT * FROM t1 WHERE MATCH(a) AGAINST ('+abc' IN BOOLEAN MODE)); + +--echo # Should not crash +SELECT * FROM t2 UNION SELECT * FROM t2 + ORDER BY (SELECT * FROM t1 WHERE MATCH(a) AGAINST ('+abc' IN BOOLEAN MODE)); +DROP TABLE t1,t2; +--enable_result_log --echo End of 5.0 tests. diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 53a6b699022..929ef3c8949 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -501,7 +501,7 @@ JOIN::prepare(Item ***rref_pointer_array, thd->lex->allow_sum_func= save_allow_sum_func; } - if (!thd->lex->view_prepare_mode) + if (!thd->lex->view_prepare_mode && !(select_options & SELECT_DESCRIBE)) { Item_subselect *subselect; /* Is it subselect? */ @@ -6861,7 +6861,8 @@ remove_const(JOIN *join,ORDER *first_order, COND *cond, *simple_order=0; // Must do a temp table to sort else if (!(order_tables & not_const_tables)) { - if (order->item[0]->with_subselect) + if (order->item[0]->with_subselect && + !(join->select_lex->options & SELECT_DESCRIBE)) order->item[0]->val_str(&order->item[0]->str_value); DBUG_PRINT("info",("removing: %s", order->item[0]->full_name())); continue; // skip const item From aa668865e271694e9b3ebbfe518cb4d0c2ad0c38 Mon Sep 17 00:00:00 2001 From: Alexander Barkov Date: Thu, 11 Nov 2010 13:25:23 +0300 Subject: [PATCH 4/4] Bug#57257 Replace(ExtractValue(...)) causes MySQL crash Bug#57820 extractvalue crashes Problem: ExtractValue and Replace crashed in some cases due to invalid handling of empty and NULL arguments. Per file comments: @mysql-test/r/ctype_ujis.result @mysql-test/r/xml.result @mysql-test/t/ctype_ujis.test @mysql-test/t/xml.test Adding tests @sql/item_strfunc.cc Make sure Item_func_replace::val_str safely handles empty strings. @sql/item_xmlfunc.cc set null_value if nodeset_func returned NULL, which is possible when the second argument is an unset user variable. --- mysql-test/r/ctype_ujis.result | 10 ++++++++++ mysql-test/r/xml.result | 13 +++++++++++++ mysql-test/t/ctype_ujis.test | 7 +++++++ mysql-test/t/xml.test | 11 +++++++++++ sql/item_strfunc.cc | 8 +++++++- sql/item_xmlfunc.cc | 4 ++-- 6 files changed, 50 insertions(+), 3 deletions(-) diff --git a/mysql-test/r/ctype_ujis.result b/mysql-test/r/ctype_ujis.result index 540ba178756..765ad5a96ca 100644 --- a/mysql-test/r/ctype_ujis.result +++ b/mysql-test/r/ctype_ujis.result @@ -2374,6 +2374,16 @@ hex(convert(_latin1 0xA4A2 using ujis)) hex(c2) DROP PROCEDURE sp1; DROP TABLE t1; DROP TABLE t2; +# +# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +# +SET NAMES utf8; +SELECT CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis); +CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis) + +Warnings: +Warning 1292 Truncated incorrect INTEGER value: 'a' +Warning 1292 Truncated incorrect INTEGER value: 'a' set names default; set character_set_database=default; set character_set_server=default; diff --git a/mysql-test/r/xml.result b/mysql-test/r/xml.result index fad2cab0e57..e6811789679 100644 --- a/mysql-test/r/xml.result +++ b/mysql-test/r/xml.result @@ -1093,4 +1093,17 @@ Warnings: Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT' Warning 1525 Incorrect XML value: 'parse error at line 1 pos 23: unexpected END-OF-INPUT' DROP TABLE t1; +# +# Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +# +SET NAMES utf8; +SELECT REPLACE(EXTRACTVALUE('1', '/a'),'ds',''); +REPLACE(EXTRACTVALUE('1', '/a'),'ds','') + +# +# Bug #57820 extractvalue crashes +# +SELECT AVG(DISTINCT EXTRACTVALUE((''),('$@k'))); +AVG(DISTINCT EXTRACTVALUE((''),('$@k'))) +NULL End of 5.1 tests diff --git a/mysql-test/t/ctype_ujis.test b/mysql-test/t/ctype_ujis.test index 400f1301dd3..4c29a2e11a0 100644 --- a/mysql-test/t/ctype_ujis.test +++ b/mysql-test/t/ctype_ujis.test @@ -1209,6 +1209,13 @@ DROP PROCEDURE sp1; DROP TABLE t1; DROP TABLE t2; +--echo # +--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +--echo # +SET NAMES utf8; +SELECT CONVERT(REPLACE(EXPORT_SET('a','a','a','','a'),'00','') USING ujis); + + set names default; set character_set_database=default; set character_set_server=default; diff --git a/mysql-test/t/xml.test b/mysql-test/t/xml.test index 6e7d38cdfca..a8917fc9fe7 100644 --- a/mysql-test/t/xml.test +++ b/mysql-test/t/xml.test @@ -617,4 +617,15 @@ FROM t1 ORDER BY t1.id; DROP TABLE t1; +--echo # +--echo # Bug#57257 Replace(ExtractValue(...)) causes MySQL crash +--echo # +SET NAMES utf8; +SELECT REPLACE(EXTRACTVALUE('1', '/a'),'ds',''); + +--echo # +--echo # Bug #57820 extractvalue crashes +--echo # +SELECT AVG(DISTINCT EXTRACTVALUE((''),('$@k'))); + --echo End of 5.1 tests diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index 8fda281bd9e..fd5c47d25cb 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -904,9 +904,15 @@ String *Item_func_replace::val_str(String *str) search=res2->ptr(); search_end=search+from_length; redo: + DBUG_ASSERT(res->ptr() || !offset); ptr=res->ptr()+offset; strend=res->ptr()+res->length(); - end=strend-from_length+1; + /* + In some cases val_str() can return empty string + with ptr() == NULL and length() == 0. + Let's check strend to avoid overflow. + */ + end= strend ? strend - from_length + 1 : NULL; while (ptr < end) { if (*ptr == *search) diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc index 3e20b90e68e..364311877e0 100644 --- a/sql/item_xmlfunc.cc +++ b/sql/item_xmlfunc.cc @@ -2790,12 +2790,12 @@ String *Item_func_xml_extractvalue::val_str(String *str) null_value= 0; if (!nodeset_func || !(res= args[0]->val_str(str)) || - !parse_xml(res, &pxml)) + !parse_xml(res, &pxml) || + !(res= nodeset_func->val_str(&tmp_value))) { null_value= 1; return 0; } - res= nodeset_func->val_str(&tmp_value); return res; }