File: 90_tmp__limit_comma_bug.dpatch

package info (click to toggle)
mysql-dfsg-5.0 5.0.32-7etch12
  • links: PTS
  • area: main
  • in suites: etch
  • size: 89,332 kB
  • ctags: 94,781
  • sloc: cpp: 436,297; ansic: 409,141; sh: 40,574; tcl: 30,484; perl: 27,872; yacc: 8,236; makefile: 5,532; java: 4,610; xml: 3,914; pascal: 3,462; sql: 2,673; awk: 1,338; asm: 1,061; sed: 772
file content (167 lines) | stat: -rw-r--r-- 6,591 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99-unnamed.dpatch by  <ch@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fixes the bug that crashed the server when using "LIMIT 1,30" etc.
## DP: in certain cases. MySQL BUG#25172. Closes: #403721

@DPATCH@

# From: eugene at mysql dot com
# Date: January 19 2007 4:34pm
# Subject: bk commit into 5.0 tree (evgen:1.2385) BUG#25172
# 
# Below is the list of changes that have just been committed into a local
# 5.0 repository of evgen. When evgen does a push these changes will
# be propagated to the main repository and, within 24 hours after the
# push, to the public repository.
# For information on how to access the public repository
# see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
# 
# ChangeSet@stripped, 2007-01-19 18:34:09+03:00, evgen@stripped +6 -0
#   Bug#25172: Not checked buffer size leads to a server crash.
#   
#   After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
#   fields. It is used while sorting for grouping and for ordering. If ORDER BY
#   clause has more elements then the GROUP BY clause then a memory overrun occurs.
#   
#   Now the length of the ORDER BY list is always passed to the 
#   make_unireg_sortorder() function and it allocates buffer big enough to be
#   used for bigger list.
# 
#   mysql-test/r/select.result@stripped, 2007-01-19 18:33:41+03:00, evgen@stripped +8 -0
#     Added a test case for bug#25172: Not checked buffer size leads to a server crash.
# 
#   mysql-test/t/select.test@stripped, 2007-01-19 18:33:44+03:00, evgen@stripped +11 -0
#     Added a test case for bug#25172: Not checked buffer size leads to a server crash.
# 
#   sql/sql_delete.cc@stripped, 2007-01-19 18:33:25+03:00, evgen@stripped +1 -1
#     Bug#25172: Not checked buffer size leads to a server crash.
#     Length parameter is initialized to 0 for the make_unireg_sortorder() function.
# 
#   sql/sql_select.cc@stripped, 2007-01-19 18:33:29+03:00, evgen@stripped +8 -4
#     Bug#25172: Not checked buffer size leads to a server crash.
#     Now the length of the ORDER BY list is always passed to the 
#     make_unireg_sortorder() function and it allocates buffer big enough to be
#     used for bigger list.
# 
#   sql/sql_table.cc@stripped, 2007-01-19 18:33:37+03:00, evgen@stripped +1 -1
#     Bug#25172: Not checked buffer size leads to a server crash.
#     Length parameter is initialized to 0 for the make_unireg_sortorder() function.
# 
#   sql/sql_update.cc@stripped, 2007-01-19 18:33:40+03:00, evgen@stripped +1 -1
#     Bug#25172: Not checked buffer size leads to a server crash.
#     Length parameter is initialized to 0 for the make_unireg_sortorder() function.
# 
# # This is a BitKeeper patch.  What follows are the unified diffs for the
# # set of deltas contained in the patch.  The rest of the patch, the part
# # that BitKeeper cares about, is below these diffs.
# # User:	evgen
# # Host:	moonbone.local
# # Root:	/mnt/gentoo64/work/25172-bug-5.0-opt-mysql

--- 1.189/sql/sql_delete.cc	2007-01-12 16:40:31 +03:00
+++ 1.190/sql/sql_delete.cc	2007-01-19 18:33:25 +03:00
@@ -142,7 +142,7 @@
 
   if (order && order->elements)
   {
-    uint         length;
+    uint         length= 0;
     SORT_FIELD  *sortorder;
     TABLE_LIST   tables;
     List<Item>   fields;

--- 1.480/sql/sql_select.cc	2007-01-15 22:40:19 +03:00
+++ 1.481/sql/sql_select.cc	2007-01-19 18:33:29 +03:00
@@ -12262,7 +12262,7 @@
 create_sort_index(THD *thd, JOIN *join, ORDER *order,
 		  ha_rows filesort_limit, ha_rows select_limit)
 {
-  uint length;
+  uint length= 0;
   ha_rows examined_rows;
   TABLE *table;
   SQL_SELECT *select;
@@ -12283,8 +12283,10 @@
        !(join->select_options & SELECT_BIG_RESULT)) &&
       test_if_skip_sort_order(tab,order,select_limit,0))
     DBUG_RETURN(0);
+  for (ORDER *ord= join->order; ord; ord= ord->next)
+    length++;
   if (!(join->sortorder= 
-        make_unireg_sortorder(order,&length,join->sortorder)))
+        make_unireg_sortorder(order, &length, join->sortorder)))
     goto err;				/* purecov: inspected */
 
   table->sort.io_cache=(IO_CACHE*) my_malloc(sizeof(IO_CACHE),
@@ -12690,8 +12692,10 @@
   for (ORDER *tmp = order; tmp; tmp=tmp->next)
     count++;
   if (!sortorder)
-    sortorder= (SORT_FIELD*) sql_alloc(sizeof(SORT_FIELD)*(count+1));
-  pos=sort=sortorder;
+    sortorder= (SORT_FIELD*) sql_alloc(sizeof(SORT_FIELD) *
+                                       (max(count, *length) + 1));
+  pos= sort= sortorder;
+
   if (!pos)
     return 0;
 

--- 1.329/sql/sql_table.cc	2006-12-23 22:04:27 +03:00
+++ 1.330/sql/sql_table.cc	2007-01-19 18:33:37 +03:00
@@ -3883,7 +3883,7 @@
   Copy_field *copy,*copy_end;
   ulong found_count,delete_count;
   THD *thd= current_thd;
-  uint length;
+  uint length= 0;
   SORT_FIELD *sortorder;
   READ_RECORD info;
   TABLE_LIST   tables;

--- 1.207/sql/sql_update.cc	2006-12-30 23:02:07 +03:00
+++ 1.208/sql/sql_update.cc	2007-01-19 18:33:40 +03:00
@@ -304,7 +304,7 @@
 	Doing an ORDER BY;  Let filesort find and sort the rows we are going
 	to update
       */
-      uint         length;
+      uint         length= 0;
       SORT_FIELD  *sortorder;
       ha_rows examined_rows;
 

--- 1.143/mysql-test/r/select.result	2006-10-19 16:37:44 +04:00
+++ 1.144/mysql-test/r/select.result	2007-01-19 18:33:41 +03:00
@@ -3611,3 +3611,11 @@
 1	SIMPLE	t2	range	si,ai	si	5	NULL	2	Using where
 1	SIMPLE	t3	eq_ref	PRIMARY,ci	PRIMARY	4	test.t2.a	1	Using where
 DROP TABLE t1,t2,t3;
+CREATE TABLE t1 ( f1 int primary key, f2 int, f3 int, f4 int, f5 int, f6 int, checked_out int);
+CREATE TABLE t2 ( f11 int PRIMARY KEY );
+INSERT INTO t1 VALUES (1,1,1,0,0,0,0),(2,1,1,3,8,1,0),(3,1,1,4,12,1,0);
+INSERT INTO t2 VALUES (62);
+SELECT * FROM t1 LEFT JOIN t2 ON f11 = t1.checked_out GROUP BY f1 ORDER BY f2, f3, f4, f5 LIMIT 0, 1;
+f1	f2	f3	f4	f5	f6	checked_out	f11
+1	1	1	0	0	0	0	NULL
+DROP TABLE t1, t2;

--- 1.117/mysql-test/t/select.test	2006-11-20 23:41:41 +03:00
+++ 1.118/mysql-test/t/select.test	2007-01-19 18:33:44 +03:00
@@ -3092,3 +3092,14 @@
         t3.c IN ('bb','ee');
 
 DROP TABLE t1,t2,t3;
+ 
+#
+# Bug#25172: Not checked buffer size leads to a server crash
+#
+CREATE TABLE t1 ( f1 int primary key, f2 int, f3 int, f4 int, f5 int, f6 int, checked_out int);
+CREATE TABLE t2 ( f11 int PRIMARY KEY );
+INSERT INTO t1 VALUES (1,1,1,0,0,0,0),(2,1,1,3,8,1,0),(3,1,1,4,12,1,0);
+INSERT INTO t2 VALUES (62);
+SELECT * FROM t1 LEFT JOIN t2 ON f11 = t1.checked_out GROUP BY f1 ORDER BY f2, f3, f4, f5 LIMIT 0, 1;
+DROP TABLE t1, t2;
+