Automerge

c7f32b02 · Patrick Crews · 51c40c5b · b6f4b1c0 · c7f32b02 · c7f32b02
Commit c7f32b02 authored Sep 30, 2008 by Patrick Crews
7 changed files
--- a/mysql-test/r/sp-error.result
+++ b/mysql-test/r/sp-error.result
@@ -1513,3 +1513,10 @@ end loop label1;
 end loop;
 end|
 ERROR 42000: End-label label1 without match
+CREATE TABLE t1 (a INT)|
+INSERT INTO t1 VALUES (1),(2)|
+CREATE PROCEDURE p1(a INT) BEGIN END|
+CALL p1((SELECT * FROM t1))|
+ERROR 21000: Subquery returns more than 1 row
+DROP PROCEDURE IF EXISTS p1|
+DROP TABLE t1|
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@@ -6662,6 +6662,16 @@ drop procedure p1;
 drop function f1;
 drop view v1;
 drop table t1;
+drop procedure if exists `p2` $
+create procedure `p2`(in `a` text charset utf8)
+begin
+declare `pos` int default 1;
+declare `str` text charset utf8;
+set `str` := `a`;
+select substr(`str`, `pos`+ 1 ) into `str`;
+end $
+call `p2`('s s s s s s');
+drop procedure `p2`;
 # ------------------------------------------------------------------
 # -- End of 5.0 tests
 # ------------------------------------------------------------------
--- a/mysql-test/t/sp-error.test
+++ b/mysql-test/t/sp-error.test
@@ -2173,6 +2173,14 @@ begin
    end loop;
 end|

+CREATE TABLE t1 (a INT)|
+INSERT INTO t1 VALUES (1),(2)|
+CREATE PROCEDURE p1(a INT) BEGIN END|
+--error ER_SUBQUERY_NO_1_ROW
+CALL p1((SELECT * FROM t1))|
+DROP PROCEDURE IF EXISTS p1|
+DROP TABLE t1|
+
 delimiter ;|

 #

--- a/mysql-test/t/sp.test
+++ b/mysql-test/t/sp.test
@@ -7818,6 +7818,24 @@ drop function f1;
 drop view v1;
 drop table t1;

+#
+# Bug#38469 invalid memory read and/or crash with utf8 text field, stored procedure, uservar 
+#
+delimiter $;
+--disable_warnings
+drop procedure if exists `p2` $
+--enable_warnings
+create procedure `p2`(in `a` text charset utf8)
+begin
+        declare `pos` int default 1;
+        declare `str` text charset utf8;
+        set `str` := `a`;
+        select substr(`str`, `pos`+ 1 ) into `str`;
+end $
+delimiter ;$
+call `p2`('s s s s s s');
+drop procedure `p2`;
+
 --echo # ------------------------------------------------------------------
 --echo # -- End of 5.0 tests
 --echo # ------------------------------------------------------------------
--- a/sql/field.cc
+++ b/sql/field.cc
@@ -6992,8 +6992,18 @@ int Field_blob::store(const char *from,uint length,CHARSET_INFO *cs)
    return 0;
  }

-  if (from == value.ptr())
+  /*
+    If the 'from' address is in the range of the temporary 'value'-
+    object we need to copy the content to a different location or it will be
+    invalidated when the 'value'-object is reallocated to make room for
+    the new character set.
+  */
+  if (from >= value.ptr() && from <= value.ptr()+value.length())
  {
+    /*
+      If content of the 'from'-address is cached in the 'value'-object
+      it is possible that the content needs a character conversion.
+    */
    uint32 dummy_offset;
    if (!String::needs_conversion(length, cs, field_charset, &dummy_offset))
    {

--- a/sql/field.h
+++ b/sql/field.h
@@ -1213,8 +1213,16 @@ public:

 class Field_blob :public Field_longstr {
 protected:
+  /**
+    The number of bytes used to represent the length of the blob.
+  */
  uint packlength;
-  String value;				// For temporaries
+  
+  /**
+    The 'value'-object is a cache fronting the storage engine.
+  */
+  String value;
+  
 public:
  Field_blob(char *ptr_arg, uchar *null_ptr_arg, uchar null_bit_arg,
 	     enum utype unireg_check_arg, const char *field_name_arg,

--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -1762,7 +1762,11 @@ sp_head::execute_procedure(THD *thd, List<Item> *args)
      we'll leave it here.
    */
    if (!thd->in_sub_stmt)
-      close_thread_tables(thd, 0, 0);
+    {
+      thd->lex->unit.cleanup();
+      close_thread_tables(thd);            
+      thd->rollback_item_tree_changes();
+    }

    DBUG_PRINT("info",(" %.*s: eval args done", m_name.length, m_name.str));
  }