Fix for BUG#15588: String overrun during sp-vars.test

The bug appears after implementation of WL#2984 (Make stored routine variables work according to the standard). mysql-test/r/type_varchar.result: Update result file. mysql-test/t/type_varchar.test: Add a test for BUG#15588. sql/field.cc: - use memmove() instead of memcpy() -- after implementation of WL#2984 (Make stored routine variables work according to the standard) it is possible to store in the field the value from this field. For instance, this can happen for the following statement: SET sp_var = SUBSTR(sp_var, 1, 3); sql/sp_head.cc: - Work correctly with String: - String length has to be be reset before use; - qs_append() does not allocate memory, so the memory should be reserved beforehand. sql/sql_select.cc: Polishing: should have been done in WL#2984.

Fix for BUG#15588: String overrun during sp-vars.test
The bug appears after implementation of WL#2984 (Make stored routine variables work according to the standard). mysql-test/r/type_varchar.result: Update result file. mysql-test/t/type_varchar.test: Add a test for BUG#15588. sql/field.cc: - use memmove() instead of memcpy() -- after implementation of WL#2984 (Make stored routine variables work according to the standard) it is possible to store in the field the value from this field. For instance, this can happen for the following statement: SET sp_var = SUBSTR(sp_var, 1, 3); sql/sp_head.cc: - Work correctly with String: - String length has to be be reset before use; - qs_append() does not allocate memory, so the memory should be reserved beforehand. sql/sql_select.cc: Polishing: should have been done in WL#2984.
b688b196 · unknown · 1fe12884 · b688b196 · b688b196 · b688b196
Commit b688b196 authored Jan 20, 2006 by unknown
5 changed files
--- a/mysql-test/r/type_varchar.result
+++ b/mysql-test/r/type_varchar.result
@@ -415,3 +415,10 @@ t1	CREATE TABLE `t1` (
  KEY `index1` (`f1`(10))
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1
 drop table t1;
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1(f1 VARCHAR(100) DEFAULT 'test');
+INSERT INTO t1 VALUES(SUBSTR(f1, 1, 3));
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1(f1 CHAR(100) DEFAULT 'test');
+INSERT INTO t1 VALUES(SUBSTR(f1, 1, 3));
+DROP TABLE IF EXISTS t1;
--- a/mysql-test/t/type_varchar.test
+++ b/mysql-test/t/type_varchar.test
@@ -130,3 +130,19 @@ show create table t1;
 alter table t1 modify f1 tinytext;
 show create table t1;
 drop table t1;
+#
+# BUG#15588: String overrun
+#
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+--enable_warnings
+CREATE TABLE t1(f1 VARCHAR(100) DEFAULT 'test');
+INSERT INTO t1 VALUES(SUBSTR(f1, 1, 3));
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1(f1 CHAR(100) DEFAULT 'test');
+INSERT INTO t1 VALUES(SUBSTR(f1, 1, 3));
+DROP TABLE IF EXISTS t1;
--- a/sql/field.cc
+++ b/sql/field.cc
@@ -5873,7 +5873,7 @@ int Field_string::store(const char *from,uint length,CHARSET_INFO *cs)
                                                    field_length/
                                                    field_charset->mbmaxlen,
                                                    &well_formed_error);
-  memcpy(ptr,from,copy_length);
+  memmove(ptr, from, copy_length);
  /* Append spaces if the string was shorter than the field. */
  if (copy_length < field_length)
@@ -6266,7 +6266,7 @@ int Field_varstring::store(const char *from,uint length,CHARSET_INFO *cs)
 						    field_length/
 						    field_charset->mbmaxlen,
                                                    &well_formed_error);
-  memcpy(ptr + length_bytes, from, copy_length);
+  memmove(ptr + length_bytes, from, copy_length);
  if (length_bytes == 1)
    *ptr= (uchar) copy_length;
  else

--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -105,21 +105,27 @@ sp_get_item_value(Item *item, String *str)
  case STRING_RESULT:
    {
-      char buf_holder[STRING_BUFFER_USUAL_SIZE];
-      String buf(buf_holder, sizeof(buf_holder), &my_charset_latin1);
      String *result= item->val_str(str);
      if (!result)
        return NULL;
-      buf.append('_');
+      {
-      buf.append(result->charset()->csname);
+        char buf_holder[STRING_BUFFER_USUAL_SIZE];
-      buf.append('\'');
+        String buf(buf_holder, sizeof(buf_holder), result->charset());
-      buf.append(*result);
-      buf.append('\'');
+        /* We must reset length of the buffer, because of String specificity. */
-      str->copy(buf);
+        buf.length(0);
-      return str;
+        buf.append('_');
+        buf.append(result->charset()->csname);
+        buf.append('\'');
+        buf.append(*result);
+        buf.append('\'');
+        str->copy(buf);
+        return str;
+      }
    }
  case ROW_RESULT:
@@ -3085,9 +3091,16 @@ sp_instr_set_case_expr::exec_core(THD *thd, uint *nextp)
 void
 sp_instr_set_case_expr::print(String *str)
 {
-  str->append(STRING_WITH_LEN("set_case_expr "));
+  const char CASE_EXPR_TAG[]= "set_case_expr ";
+  const int CASE_EXPR_TAG_LEN= sizeof(CASE_EXPR_TAG) - 1;
+  const int INT_STRING_MAX_LEN= 10;
+  /* We must call reserve(), because qs_append() doesn't care about memory. */
+  str->reserve(CASE_EXPR_TAG_LEN + INT_STRING_MAX_LEN + 2);
+  str->qs_append(CASE_EXPR_TAG, CASE_EXPR_TAG_LEN);
  str->qs_append(m_case_expr_id);
-  str->append(' ');
+  str->qs_append(' ');
  m_case_expr->print(str);
 }

--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -9046,7 +9046,7 @@ TABLE *create_virtual_tmp_table(THD *thd, List<create_field> &field_list)
    ++field;
  }
-  *field= NULL;                                 /* mark the end of the list */
+  *field= NULL;                             /* mark the end of the list */
  s->blob_field[blob_count]= 0;             /* mark the end of the list */
  s->blob_fields= blob_count;