- 28 Apr, 2015 1 commit
-
-
Arun Kuruvila authored
HOST WHEN IT CONTAINS WILDCARD Description :- Incorrect access privileges are provided to a user due to wrong sorting of users when wildcard characters is present in the hostname. Analysis :- Function "get_sorts()" is used to sort the strings of user name, hostname, database name. It is used to arrange the users in the access privilege matching order. When a user connects, it checks in the sorted user access privilege list and finds a corresponding matching entry for the user. Algorithm used in "get_sort()" sorts the strings inappropriately. As a result, when a user connects to the server, it is mapped to incorrect user access privileges. Algorithm used in "get_sort()" counts the number of characters before the first occurence of any one of the wildcard characters (single-wildcard character '_' or multi-wildcard character '%') and sorts in that order. As a result of inconnect sorting it treats hostname "%" and "%.mysql.com" as equally-specific values and therefore the order is indeterminate. Fix:- The "get_sort()" algorithm has been modified to treat "%" seperately. Now "get_sort()" returns a number which, if sorted in descending order, puts strings in the following order:- * strings with no wildcards * strings containg wildcards and non-wildcard characters * single muilt-wildcard character('%') * empty string.
-
- 27 Apr, 2015 1 commit
-
-
V S Murthy Sidagam authored
Restrict when user table hashes can be viewed. Require SUPER privileges.
-
- 24 Apr, 2015 1 commit
-
-
Arun Kuruvila authored
Description:- There is a possibility of negative array index write associated with the function "terminal_writec()". This is due to the assumption that there is a possibility of getting -1 return value from the function call "ct_visual_char()". Analysis:- The function "terminal_writec()" is called only from "em_delete_or_list()" and "vi_list_or_eof()" and both these functions deal with the "^D" (ctrl+D) signal. So the "size_t len" and "Char c" passed to "ct_visual_char()" (when called from "terminal_writec()") is always 8 (macro VISUAL_WIDTH_MAX is passed whose value is 8) and 4 (ASCII value for "^D"/"ctrl+D") respectively. Since the value of "c" is 4, "ct_chr_class()" returns -1 (macro CHTYPE_ASCIICTL is associated with -1 value). And since value of "len" is 8, "ct_visual_char()" will always return 2 when it is called from "terminal_writec()". So there is no possible case so that we encounter a negative array index write in "terminal_writec()". But since there is a rare posibility of using "terminal_writec()" in future enhancements, it is good handle the error case as well. Fix:- A condition is added in "terminal_writec()" to check whether "ct_visual_char()" is returning -1 or not. If the return value is -1, then value 0 is returned to its calling function "em_delete_or_list()" or "vi_list_or_eof()", which in turn will return CC_ERROR. NOTE:- No testcase is added since currently there is no possible scenario to encounter this error case.
-
- 13 Apr, 2015 1 commit
-
-
Bjorn Munch authored
-
- 10 Apr, 2015 1 commit
-
-
Sreeharsha Ramanavarapu authored
MYISAM TABLE CAUSES THE SERVER TO CRASH Backport to mysql-5.1
-
- 06 Apr, 2015 1 commit
-
-
Nisha authored
Backporting the patch to 5.1 and 5.5
-
- 30 Mar, 2015 1 commit
-
-
V S Murthy Sidagam authored
Description: SSL tests are failing in mysql-5.1 pb2 Analysis: The SSL certificates are ended by jan 2015. Hence the SSL tests are failing. Fix: We have generated new certificates with SHA1 algorithm.
-
- 26 Mar, 2015 1 commit
-
-
Sreeharsha Ramanavarapu authored
Backport from mysql-5.5 to mysql-5.1 Bug# 19699237: UNINITIALIZED VARIABLE IN ITEM_FIELD::STR_RESULT LEADS TO INCORRECT BEHAVIOR ISSUE: ------ When the following conditions are satisfied in a query, a server crash occurs: a) Two rows are compared using a NULL-safe equal-to operator. b) Each of these rows belong to different charsets. SOLUTION: --------- When one charset is converted to another for comparision, the constructor of "Item_func_conv_charset" is called. This will attempt to use the Item_cache if the string is a constant. This check succeeds because the "used_table_map" of the Item_cache class is never set to the correct value. Since it is mistakenly assumed to be a constant, it tries to fetch the relevant null value related fields which are yet to be initialized. This results in valgrind issues and wrong results. The fix is to update the "used_table_map" of "Item_cache". This will allow "Item_func_conv_charset" to realise that this is not a constant.
-
- 25 Mar, 2015 1 commit
-
-
Vamsikrishna Bhagi authored
Problem: UDF doesn't handle the arguments properly when they are of string type due to a misplaced break. The length of arguments is also not set properly when the argument is NULL. Solution: Fixed the code by putting the break at right place and setting the argument length to zero when the argument is NULL.
-
- 23 Mar, 2015 2 commits
-
-
Chaithra Gopalareddy authored
Backport from mysql-5.5 to mysql-5.1 Bug#19880368 : GROUP_CONCAT CRASHES AFTER DUMP_LEAF_KEY Problem: find_order_by_list does not update the address of order_item correctly after resolving. Solution: Change the ref_by address for a order_by field if its SUM_FUNC_ITEM to the address of the field present in all_fields.
-
Chaithra Gopalareddy authored
Backport from mysql-5.5 to mysql-5.1 Bug #19612819 : FILESORT: ASSERTION FAILED: POS->FIELD != 0 || POS->ITEM != 0 Problem: While getting the temp table field for a REF_ITEM make_sortorder is using the real_item. As a result server fails later with an assert. Solution: Do not use real_item to get the temp table field. Instead use the REF_ITEM itself as temp table fields are created for REF_ITEM not the real_item.
-
- 19 Mar, 2015 1 commit
-
-
Jon Olav Hauglid authored
Backport from mysql-5.5 to mysql-5.1 of: Bug19770858: MYSQLD CAN BE DRIVEN TO OOM WITH TWO SIMPLE SESSION VARS The problem was that the maximum value of the transaction_prealloc_size session system variable was ULONG_MAX which meant that it was possible to cause the server to allocate excessive amounts of memory. This patch fixes the problem by reducing the maxmimum value of transaction_prealloc_size and transaction_alloc_block_size down to 128K. Note that transactions will still be able to allocate more than 128K if needed, this patch just reduces the amount that can be preallocated - as well as the maximum size of the incremental allocation blocks. (cherry picked from commit 540c9f7ebb428bbf9ec028feabe1f7f919fdefd9) Conflicts: mysql-test/suite/sys_vars/r/transaction_alloc_block_size_basic.result mysql-test/suite/sys_vars/r/transaction_alloc_block_size_basic_64.result mysql-test/suite/sys_vars/t/disabled.def mysql-test/suite/sys_vars/t/transaction_alloc_block_size_basic.test sql/sys_vars.cc
-
- 03 Dec, 2013 1 commit
-
- 04 Nov, 2013 2 commits
-
-
mysql-builder@oracle.com authored
No commit message
-
murthy.narkedimilli@oracle.com authored
-
- 01 Nov, 2013 1 commit
-
-
Tor Didriksen authored
get_cost_calc_buff_size() could return wrong value for the size of imerge_cost_buff.
-
- 31 Oct, 2013 2 commits
-
-
mysql-builder@oracle.com authored
No commit message
-
Venkata Sidagam authored
UPPER CASE HOST NAME ANYMORE Description: It is not possible to drop users with host names with upper case letters in them. i.e DROP USER 'root'@'Tmp_Host_Name'; is failing with error. Analysis: Since the fix 11748570 we came up with lower case hostnames as standard. But in the current bug the hostname is created by mysql_install_db script is still having upper case hostnames. So, if we have the hostname with upper case letters like(Tmp_Host_Name) then we will have as it is stored in the mysql.user table. In this case if use "'DROP USER 'root'@'Tmp_Host_Name';" it gives error because we do compare with the lower case of hostname since the 11748570 fix. Fix: We need to convert the hostname to lower case before storing into the mysql.user table when we run the mysql_install_db script.
-
- 30 Oct, 2013 1 commit
-
-
Balasubramanian Kandasamy authored
-
- 29 Oct, 2013 1 commit
-
-
Tor Didriksen authored
The filesort implementation needs space for at least 15 records (plus some internal overhead) in its main sort buffer.
-
- 18 Oct, 2013 1 commit
-
-
Aditya A authored
AS A INNODB PARTITTION. PROBLEM ------- The correct engine_type was not being set during rebuild of the partition due to which the handler was always created with the default engine, which is innodb for 5.5+ ,therefore even if the table was myisam, after rebuilding the partitions ended up as innodb partitions. FIX --- Set the correct engine type during rebuild. [Approved by mattiasj #rb3599]
-
- 16 Oct, 2013 2 commits
-
-
Venkatesh Duggirala authored
REPLICATION FILTERS ARE USED. Problem: When Filtered-slave applies Int_var_log_event and when it tries to write the event to its own binlog, LAST_INSERT_ID value is written wrongly. Analysis: THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt is a variable which is set when LAST_INSERT_ID() is used by a statement. If it is set, first_successful_insert_id_in_ prev_stmt_for_binlog will be stored in the statement-based binlog. This variable is CUMULATIVE along the execution of a stored function or trigger: if one substatement sets it to 1 it will stay 1 until the function/trigger ends, thus making sure that first_successful_insert_id_in_ prev_stmt_for_binlog does not change anymore and is propagated to the caller for binlogging. This is achieved using the following code if(!stmt_depends_on_first_successful_insert_id_in_prev_stmt) { /* It's the first time we read it */ first_successful_insert_id_in_prev_stmt_for_binlog= first_successful_insert_id_in_prev_stmt; stmt_depends_on_first_successful_insert_id_in_prev_stmt= 1; } Slave server, after receiving Int_var_log_event event from master, it is setting stmt_depends_on_first_successful_insert_id_in_prev_stmt to true(*which is wrong*) and not setting first_successful_insert_id_in_prev_stmt_for_binlog. Because of this problem, when the actual DML statement with LAST_INSERT_ID() is parsed by slave SQL thread, first_successful_insert_id_in_prev_stmt_for_binlog is not set. Hence the value zero (default value) is written to slave's binlog. Why only *Filtered slave* is effected when the code is in common place: ------------------------------------------------------- In Query_log_event::do_apply_event, THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt is reset to zero at the end of the function. In case of normal slave (No Filters), this variable will be reset. In Filtered slave, Slave SQL thread defers all IRU events's execution until IRU's Query_log event is received. Once it receives Query_log_event it executes all pending IRU events and then it executes Query_log_event. Hence the variable is not getting reset to 0, causing this bug. Fix: As described above, the root cause was setting THD::stmt_depends_on_first_successful_insert_id_in_prev_stmt when Int_var_log_event was executed by a SQL thread. Hence removing the problematic line from the code.
-
Venkata Sidagam authored
Description: Fix for bug CVE-2012-5611 (bug 67685) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld. Analysis: In acl_get() when "copy_length" is calculated it just adding the variable lengths. But when we are using them with strmov() we are adding +1 to each. This will lead to a three byte buffer overflow (i.e two +1's at strmov() and one byte for the null added by strmov() function). Similarly it happens for check_grant_db() function as well. Fix: We need to add "+2" to "copy_length" in acl_get() and "+1" to "copy_length" in check_grant_db().
-
- 14 Oct, 2013 1 commit
-
-
Nuno Carvalho authored
WL#7266: Dump-thread additional concurrency tests This worklog aims at testing the two following scenarios: 1) Whenever the mysql_binlog_send method (dump thread) reaches the end of file when reading events from the binlog, before checking if it should wait for more events, there was a test to check if the file being read was still active, i.e, it was the last known binlog. However, it was possible that something was written to the binary log and then a rotation would happen, after EOF was detected and before the check for active was performed. In this case, the end of the binary log would not be read by the dump thread, and this would cause the slave to lose updates. This test verifies that the problem has been fixed. It waits during this window while forcing a rotation in the binlog. 2) Verify dump thread can send events in active file, correctly after encountering an IO error.
-
- 07 Oct, 2013 2 commits
-
-
mysql-builder@oracle.com authored
No commit message
-
Yasufumi Kinoshita authored
ha_innobase::records_in_range() should return HA_POS_ERROR for the table during discarded without requesting pages. The later other handler method should treat the error correctly. Approved by Sunny in rb#3433
-
- 04 Oct, 2013 1 commit
-
-
mysql-builder@oracle.com authored
No commit message
-
- 27 Sep, 2013 1 commit
-
-
mysql-builder@oracle.com authored
No commit message
-
- 20 Sep, 2013 1 commit
-
-
hery.ramilison@oracle.com authored
-
- 12 Sep, 2013 1 commit
-
-
Satya Bodapati authored
disable testcase due to BUG#17446090
-
- 11 Sep, 2013 1 commit
-
-
Satya Bodapati authored
IT IS DONE IN-PLACE With change buffer enabled, InnoDB doesn't write a transaction log record when it merges a record from the insert buffer to an secondary index page if the insertion is performed as an update-in-place. Fixed by logging the 'update-in-place' operation on secondary index pages. Approved by Marko. rb#2429
-
- 10 Sep, 2013 3 commits
-
-
mithun authored
WITH MY_B_VPRINTF() Issue : In LP 64 machine max long value can be 20 digit decimal value. But in my_b_vprintf() the intermediate buffer storage used is 17 bytes length. This will lead to buffer overflow. Solution : Increased the buffer storage from 17 to 32 bytes. code is backported from 5.6
-
Libing Song authored
Postfix, suppress the new warning generated by the bug's fix.
-
Libing Song authored
Dump thread may encounter an error when reading events from the active binlog file. However the errors may be temporary, so dump thread will try to read the event again. But dump thread seeked to an wrong position, it caused some events was sent twice. To fix the bug, prev_pos is defined out the while loop and is set the correct position after reading every event correctly. This patch also make binlog_can_be_corrupted more accurate, only the binlogs not closed normally are marked binlog_can_be_corrupted. Finally, two warnings are added when dump threads encounter the temporary errors.
-
- 09 Sep, 2013 3 commits
-
-
Balasubramanian Kandasamy authored
Reverted the changes to spec file to ignore mysqld_safe.pid file, updated the logic to get the correct count of PID files
-
Hery Ramilison authored
-
Venkata Sidagam authored
Reverting the patch. Because this change is not to me made for GA versions.
-
- 03 Sep, 2013 1 commit
-
-
Hery Ramilison authored
-
- 30 Aug, 2013 2 commits
-
-
Igor Solodovnikov authored
Memory Leak in mysql_options() was caused by missing call to my_free() in MYSQL_SET_CLIENT_IP branch. Fixed by adding my_free() to cleanup mysql->options.client_ip value before assigning new value.
-
Balasubramanian Kandasamy authored
-