Bug #16881: password() and union select

This was only demonstrated by the use of PASSWORD(), it was not related to that function at all. The calculation of the size of a field in the results of a UNION did not take into account the possible growth of a string field when being converted to the aggregated character set.

Bug #16881: password() and union select
This was only demonstrated by the use of PASSWORD(), it was not related to that function at all. The calculation of the size of a field in the results of a UNION did not take into account the possible growth of a string field when being converted to the aggregated character set.
5fda0b99 · jimw@rama.(none) · b7a55b9b · 5fda0b99 · 5fda0b99 · 5fda0b99
Commit 5fda0b99 authored Jul 21, 2006 by jimw@rama.(none)
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 4 deletions

mysql-test/r/union.result mysql-test/r/union.result +5 -0

mysql-test/t/union.test mysql-test/t/union.test +7 -0

sql/item.cc sql/item.cc +12 -4

No files found.
--- a/mysql-test/r/union.result
+++ b/mysql-test/r/union.result
@@ -1351,3 +1351,8 @@ drop table t1;
 (select avg(1)) union (select avg(1)) union (select avg(1));
 avg(1)
 NULL
+select _utf8'12' union select _latin1'12345';
+12
+12
+12345
+End of 5.0 tests
--- a/mysql-test/t/union.test
+++ b/mysql-test/t/union.test
@@ -841,3 +841,10 @@ drop table t1;
 (select avg(1)) union (select avg(1)) union (select avg(1)) union
 (select avg(1)) union (select avg(1)) union (select avg(1));
+#
+# Bug #16881: password() and union select
+# (The issue was poor handling of character set aggregation.)
+#
+select _utf8'12' union select _latin1'12345';
+--echo End of 5.0 tests
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -6053,14 +6053,13 @@ bool Item_type_holder::join_types(THD *thd, Item *item)
    max_length= my_decimal_precision_to_length(precision, decimals,
                                               unsigned_flag);
  }
-  else
-    max_length= max(max_length, display_length(item));
  switch (Field::result_merge_type(fld_type))
  {
  case STRING_RESULT:
  {
    const char *old_cs, *old_derivation;
+    uint32 old_max_chars= max_length / collation.collation->mbmaxlen;
    old_cs= collation.collation->name;
    old_derivation= collation.derivation_name();
    if (collation.aggregate(item->collation, MY_COLL_ALLOW_CONV))
@@ -6072,6 +6071,14 @@ bool Item_type_holder::join_types(THD *thd, Item *item)
 	       "UNION");
      DBUG_RETURN(TRUE);
    }
+    /*
+      To figure out max_length, we have to take into account possible
+      expansion of the size of the values because of character set
+      conversions.
+     */
+    max_length= max(old_max_chars * collation.collation->mbmaxlen,
+                    display_length(item) / item->collation.collation->mbmaxlen *
+                    collation.collation->mbmaxlen);
    break;
  }
  case REAL_RESULT:
@@ -6090,7 +6097,8 @@ bool Item_type_holder::join_types(THD *thd, Item *item)
      max_length= (fld_type == MYSQL_TYPE_FLOAT) ? FLT_DIG+6 : DBL_DIG+7;
    break;
  }
-  default:;
+  default:
+    max_length= max(max_length, display_length(item));
  };
  maybe_null|= item->maybe_null;
  get_full_info(item);