1. 07 Aug, 2015 1 commit
    • Ajo Robert's avatar
      Bug #20760261 mysqld crashed in materialized_cursor:: · f3dce250
      Ajo Robert authored
      send_result_set_metadata
      
      Analysis
      --------
      Cursor inside trigger accessing NEW/OLD row leads server exit.
      
      The reason for the bug was that implementation of function
      create_tmp_table() was not considering Item::TRIGGER_FIELD_ITEM
      as possible alternative for type of class being instantiated.
      This was resulting in a mismatch between a number of columns
      in result list and temp table definition. This mismatch leads
      to the failure of assertion
      DBUG_ASSERT(send_result_set_metadata.elements == item_list.elements)
      in the method Materialized_cursor::send_result_set_metadata
      in debug mode.
      
      Fix:
      ---
      Added code to consider Item::TRIGGER_FIELD_ITEM as valid
      type while creating fields.
      f3dce250
  2. 04 Aug, 2015 1 commit
    • Mithun C Y's avatar
      Bug #21096444: MYSQL IS TRYING TO PERFORM A CONSISTENT READ BUT THE READ VIEW IS NOT ASSIGNED! · c28626d0
      Mithun C Y authored
      Issue: A select for update subquery in having clause
      resulted deadlock and its transaction was rolled back
      by innodb. val_XXX interfaces do not handle errors and
      it do not propogate errors to its caller. sub_select
      did not see this error when it called
      evaluate_join_record and later made a call to innodb.
      As transaction is rolled back innodb asserted.
      
      Fix: Now evaluate_join_record checks if there is any
      error reported and then return the same to its caller.
      c28626d0
  3. 03 Aug, 2015 2 commits
    • Sreeharsha Ramanavarapu's avatar
      Bug #20909518: HANDLE_FATAL_SIGNAL (SIG=11) IN · 9372c9eb
      Sreeharsha Ramanavarapu authored
                     FIND_USED_PARTITIONS | SQL/OPT_RANGE.CC:3884
      
      Post-push fix.
      9372c9eb
    • Sreeharsha Ramanavarapu's avatar
      Bug #20909518: HANDLE_FATAL_SIGNAL (SIG=11) IN · 8006ad80
      Sreeharsha Ramanavarapu authored
                     FIND_USED_PARTITIONS | SQL/OPT_RANGE.CC:3884
      
      Issue:
      -----
      During partition pruning, first we identify the partition
      in which row can reside and then identify the subpartition.
      If we find a partition but not the subpartion then we hit
      a debug assert. While finding the subpartition we check
      the current thread's error status in part_val_int()
      function after some operation. In this case the thread's
      error status is already set to an error (multiple rows
      returned) so the function returns no partition found and
      results in incorrect behavior.
      
      SOLUTION:
      ---------
      Currently any error encountered in part_val_int is
      considered a "partition not found" type error. Instead of
      an assert, a check needs to be done and a valid error
      returned.
      8006ad80
  4. 29 Jul, 2015 1 commit
    • Thirunarayanan Balathandayuthapani's avatar
      Bug #20796566 ERROR: INSERT BUFFER INSERT FAIL CANNOT · 641ab6f3
      Thirunarayanan Balathandayuthapani authored
      			INSERT INDEX RECORD
      
      Problem:
      =======
      
      IBUF_BITMAP_FREE bit in ibuf bitmap array is used to indicate the free
      space available in leaf page. IBUF_BITMAP_FREE bit indicates free
      space more than actual existing free space for the leaf page.
      
      Solution:
      =========
      
      Ibuf_bitmap_array is not updated for the secondary index leaf page when
      insert operation is done by updating a delete marked existing
      record in the index.
      Reviewed-by: default avatarJimmy Yang <jimmy.yang@oracle.com>
      RB: 9544
      641ab6f3
  5. 10 Jul, 2015 1 commit
  6. 23 Jun, 2015 1 commit
  7. 05 Jun, 2015 1 commit
  8. 04 Jun, 2015 1 commit
    • Arun Kuruvila's avatar
      Bug #20605441 : BUFFER OVERFLOW IN MYSQLSLAP · 044e3b1d
      Arun Kuruvila authored
      Description:- mysqlslap is a diagnostic utility designed to
      emulate client load for a MySQL server and to report the
      timing of each stage. This utility crashes when invalid
      values are passed to the options 'num_int_cols_opt' or
      'num_chars_cols_opt' or 'engine'.
      
      Analysis:- mysqlslap uses "parse_option()" to parse the
      values specified to the options 'num_int_cols_opt',
      'num_chars_cols_opt' and 'engine'. These options takes
      values separated by commas. In "parse_option()", the comma
      separated values are separated and copied into a buffer
      without checking the length of the string to be copied. The
      size of the buffer is defined by a macro HUGE_STRING_LENGTH
      whose value is 8196. So if the length of the any of the
      comma separated value exceeds HUGE_STRING_LENGTH, will
      result in a buffer overflow.
      
      Fix:- A check is introduced in "parse_option()" to check
      whether the size of the string to be copied is more than
      HUGE_STRING_LENGTH. If it is more, an error, "Invalid value
      specified for the option 'xxx'" is thrown.
      Option length was incorrectly calculated for the last comma
      separated value. So fixed that as well.
      044e3b1d
  9. 29 May, 2015 1 commit
  10. 28 Apr, 2015 1 commit
    • Arun Kuruvila's avatar
      Bug #20181776 :- ACCESS CONTROL DOESN'T MATCH MOST SPECIFIC · fdae90dd
      Arun Kuruvila authored
                       HOST WHEN IT CONTAINS WILDCARD
      
      Description :- Incorrect access privileges are provided to a
      user due to wrong sorting of users when wildcard characters
      is present in the hostname.
      
      Analysis :- Function "get_sorts()" is used to sort the
      strings of user name, hostname, database name. It is used
      to arrange the users in the access privilege matching order.
      When a user connects, it checks in the sorted user access
      privilege list and finds a corresponding matching entry for
      the user. Algorithm used in "get_sort()" sorts the strings
      inappropriately. As a result, when a user connects to the
      server, it is mapped to incorrect user access privileges.
      Algorithm used in "get_sort()" counts the number of
      characters before the first occurence of any one of the
      wildcard characters (single-wildcard character '_' or
      multi-wildcard character '%') and sorts in that order.
      As a result of inconnect sorting it treats hostname "%" and
      "%.mysql.com" as equally-specific values and therefore
      the order is indeterminate.
      
      Fix:- The "get_sort()" algorithm has been modified to treat
      "%" seperately. Now "get_sort()" returns a number which, if
      sorted in descending order, puts strings in the following
      order:-
      * strings with no wildcards
      * strings containg wildcards and non-wildcard characters
      * single muilt-wildcard character('%')
      * empty string.
      fdae90dd
  11. 27 Apr, 2015 1 commit
  12. 24 Apr, 2015 1 commit
    • Arun Kuruvila's avatar
      Bug#20318154 : NEGATIVE ARRAY INDEX WRITE V2 · eb79ead4
      Arun Kuruvila authored
      Description:- There is a possibility of negative array index
      write associated with the function "terminal_writec()". This
      is due to the assumption that there is a possibility of
      getting -1 return value from the function call
      "ct_visual_char()".
      
      Analysis:- The function "terminal_writec()" is called only
      from "em_delete_or_list()" and "vi_list_or_eof()" and both
      these functions deal with the "^D" (ctrl+D) signal. So the
      "size_t len" and "Char c" passed to "ct_visual_char()" (when
      called from "terminal_writec()") is always 8 (macro
      VISUAL_WIDTH_MAX is passed whose value is 8) and 4 (ASCII
      value for "^D"/"ctrl+D") respectively.
      Since the value of "c" is 4, "ct_chr_class()" returns -1
      (macro CHTYPE_ASCIICTL is associated with -1 value). And
      since value of "len" is 8, "ct_visual_char()" will always
      return 2 when it is called from "terminal_writec()".
      So there is no possible case so that we encounter a negative
      array index write in "terminal_writec()". But since there is
      a rare posibility of using "terminal_writec()" in future
      enhancements, it is good handle the error case as well.
      
      Fix:- A condition is added in "terminal_writec()" to check
      whether "ct_visual_char()" is returning -1 or not. If the
      return value is -1, then value 0 is returned to its calling
      function "em_delete_or_list()" or "vi_list_or_eof()", which
      in turn will return CC_ERROR.
      
      NOTE:- No testcase is added since currently there is no
      possible scenario to encounter this error case.
      eb79ead4
  13. 13 Apr, 2015 1 commit
  14. 10 Apr, 2015 1 commit
  15. 06 Apr, 2015 1 commit
  16. 30 Mar, 2015 1 commit
  17. 26 Mar, 2015 1 commit
    • Sreeharsha Ramanavarapu's avatar
      Bug #20730155: BACKPORT BUG#19699237 TO 5.1 · c788e693
      Sreeharsha Ramanavarapu authored
      Backport from mysql-5.5 to mysql-5.1
      
      Bug# 19699237: UNINITIALIZED VARIABLE IN
                     ITEM_FIELD::STR_RESULT LEADS TO INCORRECT
                     BEHAVIOR
      
      ISSUE:
      ------
      When the following conditions are satisfied in a query, a
      server crash occurs:
      a) Two rows are compared using a NULL-safe equal-to operator.
      b) Each of these rows belong to different charsets.
      
      SOLUTION:
      ---------
      When one charset is converted to another for comparision,
      the constructor of "Item_func_conv_charset" is called.
      This will attempt to use the Item_cache if the string is a
      constant. This check succeeds because the "used_table_map"
      of the Item_cache class is never set to the correct value.
      Since it is mistakenly assumed to be a constant, it tries
      to fetch the relevant null value related fields which are
      yet to be initialized. This results in valgrind issues
      and wrong results.
      
      The fix is to update the "used_table_map" of "Item_cache".
      This will allow "Item_func_conv_charset" to realise that
      this is not a constant.
      c788e693
  18. 25 Mar, 2015 1 commit
    • Vamsikrishna Bhagi's avatar
      Bug# 20730103 BACKPORT 19688008 TO 5.1 · 3c02e6ec
      Vamsikrishna Bhagi authored
      Problem: UDF doesn't handle the arguments properly when they
               are of string type due to a misplaced break.
               The length of arguments is also not set properly
               when the argument is NULL.
      
      Solution: Fixed the code by putting the break at right place
                and setting the argument length to zero when the
                argument is NULL.
      3c02e6ec
  19. 23 Mar, 2015 2 commits
    • Chaithra Gopalareddy's avatar
      Bug #20730220 : BACKPORT BUG#19880368 TO 5.1 · 044060fe
      Chaithra Gopalareddy authored
      Backport from mysql-5.5 to mysql-5.1
      
      Bug#19880368 : GROUP_CONCAT CRASHES AFTER DUMP_LEAF_KEY
      
      Problem:
      find_order_by_list does not update the address of order_item
      correctly after resolving.
      
      Solution:
      Change the ref_by address for a order_by field if its
      SUM_FUNC_ITEM to the address of the field present in
      all_fields.
      044060fe
    • Chaithra Gopalareddy's avatar
      Bug #20730129: BACKPORT BUG#19612819 TO 5.1 · a2cd622f
      Chaithra Gopalareddy authored
      Backport from mysql-5.5 to mysql-5.1
      
      Bug #19612819 :  FILESORT: ASSERTION FAILED: POS->FIELD != 0 || POS->ITEM != 0
      
      Problem:
      While getting the temp table field for a REF_ITEM
      make_sortorder is using the real_item. As a result
      server fails later with an assert.
      
      Solution:
      Do not use real_item to get the temp table field.
      Instead use the REF_ITEM itself as temp table fields
      are created for REF_ITEM not the real_item.
      a2cd622f
  20. 19 Mar, 2015 1 commit
    • Jon Olav Hauglid's avatar
      Bug#20730053: BACKPORT BUG#19770858 TO 5.1 · c7581bb5
      Jon Olav Hauglid authored
      Backport from mysql-5.5 to mysql-5.1 of:
      
      Bug19770858: MYSQLD CAN BE DRIVEN TO OOM WITH TWO SIMPLE SESSION VARS
      
      The problem was that the maximum value of the transaction_prealloc_size
      session system variable was ULONG_MAX which meant that it was possible
      to cause the server to allocate excessive amounts of memory.
      
      This patch fixes the problem by reducing the maxmimum value of
      transaction_prealloc_size and transaction_alloc_block_size down
      to 128K.
      
      Note that transactions will still be able to allocate more than
      128K if needed, this patch just reduces the amount that can be
      preallocated - as well as the maximum size of the incremental
      allocation blocks.
      
      (cherry picked from commit 540c9f7ebb428bbf9ec028feabe1f7f919fdefd9)
      
      Conflicts:
      	mysql-test/suite/sys_vars/r/transaction_alloc_block_size_basic.result
      	mysql-test/suite/sys_vars/r/transaction_alloc_block_size_basic_64.result
      	mysql-test/suite/sys_vars/t/disabled.def
      	mysql-test/suite/sys_vars/t/transaction_alloc_block_size_basic.test
      	sql/sys_vars.cc
      c7581bb5
  21. 03 Dec, 2013 1 commit
  22. 04 Nov, 2013 2 commits
  23. 01 Nov, 2013 1 commit
  24. 31 Oct, 2013 2 commits
    • mysql-builder@oracle.com's avatar
      No commit message · 7e1c78c8
      mysql-builder@oracle.com authored
      No commit message
      7e1c78c8
    • Venkata Sidagam's avatar
      Bug #12917164 DROP USER CAN'T DROP USERS WITH LEGACY · 46b617d2
      Venkata Sidagam authored
          UPPER CASE HOST NAME ANYMORE
      
      Description:
      It is not possible to drop users with host names with upper case
      letters in them. i.e DROP USER 'root'@'Tmp_Host_Name'; is failing
      with error.
      
      Analysis: Since the fix 11748570 we came up with lower case hostnames
      as standard. But in the current bug the hostname is created by
      mysql_install_db script is still having upper case hostnames. 
      So, if we have the hostname with upper case letters like(Tmp_Host_Name)
      then we will have as it is stored in the mysql.user table. 
      In this case if use "'DROP USER 'root'@'Tmp_Host_Name';" it gives 
      error because we do compare with the lower case of hostname since the 
      11748570 fix.
      
      Fix: We need to convert the hostname to lower case before storing into 
      the mysql.user table when we run the mysql_install_db script.
      46b617d2
  25. 30 Oct, 2013 1 commit
  26. 29 Oct, 2013 1 commit
  27. 18 Oct, 2013 1 commit
    • Aditya A's avatar
      Bug#17559867 AFTER REBUILDING,A MYISAM PARTITION ENDS UP · df5018f2
      Aditya A authored
                   AS A INNODB PARTITTION.
      
      PROBLEM
      -------
      The correct engine_type was not being set during 
      rebuild of the partition due to which the handler
      was always created with the default engine,
      which is innodb for 5.5+ ,therefore even if the
      table was myisam, after rebuilding the partitions
      ended up as innodb partitions.
      
      FIX
      ---
      Set the correct engine type during rebuild.  
      
      [Approved by mattiasj #rb3599]
      df5018f2
  28. 16 Oct, 2013 2 commits
    • Venkatesh Duggirala's avatar
      Bug#17234370 LAST_INSERT_ID IS REPLICATED INCORRECTLY IF · 29e45f15
      Venkatesh Duggirala authored
      REPLICATION FILTERS ARE USED.
      
      Problem:
      When Filtered-slave applies Int_var_log_event and when it
      tries to write the event to its own binlog, LAST_INSERT_ID
      value is written wrongly.
      
      Analysis:
      THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt
      is a variable which is set when LAST_INSERT_ID() is used by
      a statement. If it is set, first_successful_insert_id_in_
      prev_stmt_for_binlog will be stored in the statement-based
      binlog. This variable is CUMULATIVE along the execution of
      a stored function or trigger: if one substatement sets it
      to 1 it will stay 1 until the function/trigger ends,
      thus making sure that first_successful_insert_id_in_
      prev_stmt_for_binlog does not change anymore and is
      propagated to the caller for binlogging. This is achieved
      using the following code
      if(!stmt_depends_on_first_successful_insert_id_in_prev_stmt)               
      {                                                                           
        /* It's the first time we read it */                                      
        first_successful_insert_id_in_prev_stmt_for_binlog=                       
        first_successful_insert_id_in_prev_stmt;                                
        stmt_depends_on_first_successful_insert_id_in_prev_stmt= 1;               
      }
      
      Slave server, after receiving Int_var_log_event event from
      master, it is setting
      stmt_depends_on_first_successful_insert_id_in_prev_stmt
      to true(*which is wrong*) and not setting
      first_successful_insert_id_in_prev_stmt_for_binlog. Because
      of this problem, when the actual DML statement with
      LAST_INSERT_ID() is parsed by slave SQL thread,
      first_successful_insert_id_in_prev_stmt_for_binlog is not
      set. Hence the value zero (default value) is written to
      slave's binlog.
      
      Why only *Filtered slave* is effected when the code is
      in common place:
      -------------------------------------------------------
      In Query_log_event::do_apply_event,
      THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt
      is reset to zero at the end of the function. In case of
      normal slave (No Filters), this variable will be reset. 
      In Filtered slave, Slave SQL thread defers all IRU events's
      execution until IRU's Query_log event is received. Once it
      receives Query_log_event it executes all pending IRU events
      and then it executes Query_log_event. Hence the variable is
      not getting reset to 0, causing this bug.
      
      Fix: As described above, the root cause was setting 
      THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt
      when Int_var_log_event was executed by a SQL thread. Hence
      removing the problematic line from the code.
      29e45f15
    • Venkata Sidagam's avatar
      Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE · 9fc51224
      Venkata Sidagam authored
      Description: Fix for bug CVE-2012-5611 (bug 67685) is 
      incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
      check_grant_db() can be overflown by up to two bytes. That's 
      probably not enough to do anything more serious than crashing 
      mysqld.
      Analysis: In acl_get() when "copy_length" is calculated it 
      just adding the variable lengths. But when we are using them 
      with strmov() we are adding +1 to each. This will lead to a 
      three byte buffer overflow (i.e two +1's at strmov() and one 
      byte for the null added by strmov() function). Similarly it 
      happens for check_grant_db() function as well.
      Fix: We need to add "+2" to "copy_length" in acl_get() 
      and "+1" to "copy_length" in check_grant_db(). 
      9fc51224
  29. 14 Oct, 2013 1 commit
    • Nuno Carvalho's avatar
      WL#7266: Dump-thread additional concurrency tests ... · 3f587452
      Nuno Carvalho authored
      WL#7266: Dump-thread additional concurrency tests                                                                                                                           
      
      This worklog aims at testing the two following scenarios:
      
      1) Whenever the mysql_binlog_send method (dump thread)
      reaches the end of file when reading events from the binlog, before
      checking if it should wait for more events, there was a test to
      check if the file being read was still active, i.e, it was the last
      known binlog. However, it was possible that something was written to
      the binary log and then a rotation would happen, after EOF was
      detected and before the check for active was performed. In this
      case, the end of the binary log would not be read by the dump
      thread, and this would cause the slave to lose updates.
      This test verifies that the problem has been fixed. It waits during
      this window while forcing a rotation in the binlog.
      
      2) Verify dump thread can send events in active file, correctly after
      encountering an IO error.
      3f587452
  30. 07 Oct, 2013 2 commits
  31. 04 Oct, 2013 1 commit
  32. 27 Sep, 2013 1 commit
  33. 20 Sep, 2013 1 commit
  34. 12 Sep, 2013 1 commit