From 9fc39adfda1391892a5604c0b754d07edb3690cd Mon Sep 17 00:00:00 2001 From: Kristofer Pettersson Date: Mon, 11 Aug 2008 11:40:54 +0200 Subject: [PATCH 1/4] Bug#38486 Crash when using cursor protocol Server side cursors were not initialized properly and this caused a reference to uninitialized memory. --- sql/sql_cursor.cc | 5 ++++- tests/mysql_client_test.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/sql/sql_cursor.cc b/sql/sql_cursor.cc index c2345f1f2cd..16567765ba6 100644 --- a/sql/sql_cursor.cc +++ b/sql/sql_cursor.cc @@ -111,7 +111,8 @@ class Select_materialize: public select_union select_result *result; /* the result object of the caller (PS or SP) */ public: Materialized_cursor *materialized_cursor; - Select_materialize(select_result *result_arg) :result(result_arg) {} + Select_materialize(select_result *result_arg) :result(result_arg), + materialized_cursor(0) {} virtual bool send_fields(List &list, uint flags); }; @@ -155,6 +156,7 @@ int mysql_open_cursor(THD *thd, uint flags, select_result *result, if (! (sensitive_cursor= new (thd->mem_root) Sensitive_cursor(thd, result))) { delete result_materialize; + result_materialize= NULL; return 1; } @@ -212,6 +214,7 @@ int mysql_open_cursor(THD *thd, uint flags, select_result *result, if ((rc= materialized_cursor->open(0))) { delete materialized_cursor; + materialized_cursor= NULL; goto err_open; } diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 5e1c2afe84a..4336bfa0c59 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -16189,6 +16189,35 @@ static void test_bug32265() DBUG_VOID_RETURN; } + +/** + Bug#38486 Crash when using cursor protocol +*/ + +static void test_bug38486(void) +{ + myheader("test_bug38486"); + + MYSQL_STMT *stmt; + stmt= mysql_stmt_init(mysql); + unsigned long type= CURSOR_TYPE_READ_ONLY; + mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (void*)&type); + const char *sql= "CREATE TABLE t1 (a INT)"; + mysql_stmt_prepare(stmt,sql,strlen(sql)); + + mysql_stmt_execute(stmt); + mysql_stmt_close(stmt); + + stmt= mysql_stmt_init(mysql); + mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (void*)&type); + const char *sql2= "INSERT INTO t1 VALUES (1)"; + mysql_stmt_prepare(stmt,sql2,strlen(sql2)); + mysql_stmt_execute(stmt); + + mysql_stmt_close(stmt); +} + + /* Read and parse arguments and MySQL options from my.cnf */ @@ -16483,6 +16512,7 @@ static struct my_tests_st my_tests[]= { { "test_bug29306", test_bug29306 }, { "test_bug31669", test_bug31669 }, { "test_bug32265", test_bug32265 }, + { "test_bug38486", test_bug38486 }, { 0, 0 } }; From bafa07b2c49c1d64e1b58d1df78889ca1a5cda0d Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Mon, 11 Aug 2008 10:08:21 -0300 Subject: [PATCH 2/4] Post-merge fix: Silence warning due to type mismatch. --- client/mysql_upgrade.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/client/mysql_upgrade.c b/client/mysql_upgrade.c index 15fa6622f74..74e8c9dd577 100644 --- a/client/mysql_upgrade.c +++ b/client/mysql_upgrade.c @@ -364,7 +364,9 @@ static void find_tool(char *tool_executable_name, const char *tool_name, } else { - /* + int len; + + /* mysql_upgrade was run absolutely or relatively. We can find a sibling by replacing our name after the LIBCHAR with the new tool name. */ @@ -385,10 +387,10 @@ static void find_tool(char *tool_executable_name, const char *tool_name, last_fn_libchar -= 6; } + len= last_fn_libchar - self_name; + my_snprintf(tool_executable_name, FN_REFLEN, "%.*s%c%s", - (last_fn_libchar - self_name), self_name, - FN_LIBCHAR, - tool_name); + len, self_name, FN_LIBCHAR, tool_name); } verbose("Looking for '%s' as: %s", tool_name, tool_executable_name); From fe39a901bb1dd00e389be62979ff3a360ac920b5 Mon Sep 17 00:00:00 2001 From: Chad MILLER Date: Mon, 11 Aug 2008 11:28:35 -0400 Subject: [PATCH 3/4] Backport compiler warning fix from 5.1-bugteam. --- client/mysql_upgrade.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/client/mysql_upgrade.c b/client/mysql_upgrade.c index 15fa6622f74..74e8c9dd577 100644 --- a/client/mysql_upgrade.c +++ b/client/mysql_upgrade.c @@ -364,7 +364,9 @@ static void find_tool(char *tool_executable_name, const char *tool_name, } else { - /* + int len; + + /* mysql_upgrade was run absolutely or relatively. We can find a sibling by replacing our name after the LIBCHAR with the new tool name. */ @@ -385,10 +387,10 @@ static void find_tool(char *tool_executable_name, const char *tool_name, last_fn_libchar -= 6; } + len= last_fn_libchar - self_name; + my_snprintf(tool_executable_name, FN_REFLEN, "%.*s%c%s", - (last_fn_libchar - self_name), self_name, - FN_LIBCHAR, - tool_name); + len, self_name, FN_LIBCHAR, tool_name); } verbose("Looking for '%s' as: %s", tool_name, tool_executable_name); From fd324dd3ff92594e8aa7fc04b0481639788c41c2 Mon Sep 17 00:00:00 2001 From: Marc Alff Date: Mon, 11 Aug 2008 15:08:12 -0600 Subject: [PATCH 4/4] Bug#37302 (missing DBUG_RETURN macro in function "find_key_block" (5.0 only)) Fixed missing DBUG_RETURN in the function find_key_block --- mysys/mf_keycache.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mysys/mf_keycache.c b/mysys/mf_keycache.c index f27ade7bfc0..0720d172317 100644 --- a/mysys/mf_keycache.c +++ b/mysys/mf_keycache.c @@ -1382,7 +1382,7 @@ restart: /* We don't need the page in the cache: we are going to write on disk */ hash_link->requests--; unlink_hash(keycache, hash_link); - return 0; + DBUG_RETURN(0); } if (!(block->status & BLOCK_IN_FLUSH)) { @@ -1399,7 +1399,7 @@ restart: flag (see the code below that handles reading requests). */ free_block(keycache, block); - return 0; + DBUG_RETURN(0); } /* Wait intil the page is flushed on disk */ hash_link->requests--; @@ -1429,7 +1429,7 @@ restart: /* Invalidate page in the block if it has not been done yet */ if (block->status) free_block(keycache, block); - return 0; + DBUG_RETURN(0); } if (page_status == PAGE_READ &&