summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorunknown <malff@lambda.hsd1.co.comcast.net.>2007-11-01 06:35:22 -0600
committerunknown <malff@lambda.hsd1.co.comcast.net.>2007-11-01 06:35:22 -0600
commit74394b27feda0d931796b374e170150c4f9e93ad (patch)
treeb5a61e1d87a25955a4fe35a4df5465419a2f763a
parent1de7e5c09f915333cd21fc3786259a3967ddf69a (diff)
parent2ace967acd7323d27df6a96a08ba22a8a64446e8 (diff)
downloadmariadb-git-74394b27feda0d931796b374e170150c4f9e93ad.tar.gz
Merge lambda.hsd1.co.comcast.net.:/home/malff/TREE/mysql-5.0-base
into lambda.hsd1.co.comcast.net.:/home/malff/TREE/mysql-5.0-rt-merge
Diffstat
-rw-r--r--libmysql/libmysql.c7
-rw-r--r--mysql-test/r/select.result35
-rw-r--r--mysql-test/t/select.test48
-rw-r--r--sql/sql_acl.cc24
-rw-r--r--sql/sql_table.cc2
-rw-r--r--tests/mysql_client_test.c94
6 files changed, 195 insertions, 15 deletions
diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c
index e50bd16ca32..85509b49fdd 100644
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -706,7 +706,8 @@ int cli_read_change_user_result(MYSQL *mysql, char *buff, const char *passwd)
my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
const char *passwd, const char *db)
{
- char buff[512],*end=buff;
+ char buff[USERNAME_LENGTH+SCRAMBLED_PASSWORD_CHAR_LENGTH+NAME_LEN+2];
+ char *end= buff;
int rc;
DBUG_ENTER("mysql_change_user");
@@ -716,7 +717,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
passwd="";
/* Store user into the buffer */
- end=strmov(end,user)+1;
+ end= strmake(end, user, USERNAME_LENGTH) + 1;
/* write scrambled password according to server capabilities */
if (passwd[0])
@@ -736,7 +737,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
else
*end++= '\0'; /* empty password */
/* Add database if needed */
- end= strmov(end, db ? db : "") + 1;
+ end= strmake(end, db ? db : "", NAME_LEN) + 1;
/* Write authentication package */
simple_command(mysql,COM_CHANGE_USER, buff,(ulong) (end-buff),1);
diff --git a/mysql-test/r/select.result b/mysql-test/r/select.result
index ed120a1bbb8..76022053702 100644
--- a/mysql-test/r/select.result
+++ b/mysql-test/r/select.result
@@ -4096,4 +4096,39 @@ SELECT `x` FROM v3;
x
1
DROP VIEW v1, v2, v3;
+
+#
+# Bug#30736: Row Size Too Large Error Creating a Table and
+# Inserting Data.
+#
+DROP TABLE IF EXISTS t1;
+DROP TABLE IF EXISTS t2;
+
+CREATE TABLE t1(
+c1 DECIMAL(10, 2),
+c2 FLOAT);
+
+INSERT INTO t1 VALUES (0, 1), (2, 3), (4, 5);
+
+CREATE TABLE t2(
+c3 DECIMAL(10, 2))
+SELECT
+c1 * c2 AS c3
+FROM t1;
+
+SELECT * FROM t1;
+c1 c2
+0.00 1
+2.00 3
+4.00 5
+
+SELECT * FROM t2;
+c3
+0.00
+6.00
+20.00
+
+DROP TABLE t1;
+DROP TABLE t2;
+
End of 5.0 tests
diff --git a/mysql-test/t/select.test b/mysql-test/t/select.test
index 5c30a17e08e..6deb951c4e8 100644
--- a/mysql-test/t/select.test
+++ b/mysql-test/t/select.test
@@ -3484,4 +3484,52 @@ DROP VIEW v1, v2, v3;
--enable_ps_protocol
+###########################################################################
+
+--echo
+--echo #
+--echo # Bug#30736: Row Size Too Large Error Creating a Table and
+--echo # Inserting Data.
+--echo #
+
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+DROP TABLE IF EXISTS t2;
+--enable_warnings
+
+--echo
+
+CREATE TABLE t1(
+ c1 DECIMAL(10, 2),
+ c2 FLOAT);
+
+--echo
+
+INSERT INTO t1 VALUES (0, 1), (2, 3), (4, 5);
+
+--echo
+
+CREATE TABLE t2(
+ c3 DECIMAL(10, 2))
+ SELECT
+ c1 * c2 AS c3
+ FROM t1;
+
+--echo
+
+SELECT * FROM t1;
+
+--echo
+
+SELECT * FROM t2;
+
+--echo
+
+DROP TABLE t1;
+DROP TABLE t2;
+
+--echo
+
+###########################################################################
+
--echo End of 5.0 tests
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index e62d0f40abf..1850821a287 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -311,7 +311,7 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
continue;
}
- const char *password= get_field(&mem, table->field[2]);
+ const char *password= get_field(thd->mem_root, table->field[2]);
uint password_len= password ? strlen(password) : 0;
set_user_salt(&user, password, password_len);
if (user.salt_len == 0 && password_len != 0)
@@ -364,7 +364,7 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
/* Starting from 4.0.2 we have more fields */
if (table->s->fields >= 31)
{
- char *ssl_type=get_field(&mem, table->field[next_field++]);
+ char *ssl_type=get_field(thd->mem_root, table->field[next_field++]);
if (!ssl_type)
user.ssl_type=SSL_TYPE_NONE;
else if (!strcmp(ssl_type, "ANY"))
@@ -378,11 +378,11 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
user.x509_issuer= get_field(&mem, table->field[next_field++]);
user.x509_subject= get_field(&mem, table->field[next_field++]);
- char *ptr = get_field(&mem, table->field[next_field++]);
+ char *ptr = get_field(thd->mem_root, table->field[next_field++]);
user.user_resource.questions=ptr ? atoi(ptr) : 0;
- ptr = get_field(&mem, table->field[next_field++]);
+ ptr = get_field(thd->mem_root, table->field[next_field++]);
user.user_resource.updates=ptr ? atoi(ptr) : 0;
- ptr = get_field(&mem, table->field[next_field++]);
+ ptr = get_field(thd->mem_root, table->field[next_field++]);
user.user_resource.conn_per_hour= ptr ? atoi(ptr) : 0;
if (user.user_resource.questions || user.user_resource.updates ||
user.user_resource.conn_per_hour)
@@ -391,7 +391,7 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
if (table->s->fields >= 36)
{
/* Starting from 5.0.3 we have max_user_connections field */
- ptr= get_field(&mem, table->field[next_field++]);
+ ptr= get_field(thd->mem_root, table->field[next_field++]);
user.user_resource.user_conn= ptr ? atoi(ptr) : 0;
}
else
@@ -4898,6 +4898,7 @@ static int handle_grant_table(TABLE_LIST *tables, uint table_no, bool drop,
byte user_key[MAX_KEY_LENGTH];
uint key_prefix_length;
DBUG_ENTER("handle_grant_table");
+ THD *thd= current_thd;
if (! table_no) // mysql.user table
{
@@ -4965,17 +4966,18 @@ static int handle_grant_table(TABLE_LIST *tables, uint table_no, bool drop,
DBUG_PRINT("info",("scan error: %d", error));
continue;
}
- if (! (host= get_field(&mem, host_field)))
+ if (! (host= get_field(thd->mem_root, host_field)))
host= "";
- if (! (user= get_field(&mem, user_field)))
+ if (! (user= get_field(thd->mem_root, user_field)))
user= "";
#ifdef EXTRA_DEBUG
DBUG_PRINT("loop",("scan fields: '%s'@'%s' '%s' '%s' '%s'",
user, host,
- get_field(&mem, table->field[1]) /*db*/,
- get_field(&mem, table->field[3]) /*table*/,
- get_field(&mem, table->field[4]) /*column*/));
+ get_field(thd->mem_root, table->field[1]) /*db*/,
+ get_field(thd->mem_root, table->field[3]) /*table*/,
+ get_field(thd->mem_root,
+ table->field[4]) /*column*/));
#endif
if (strcmp(user_str, user) ||
my_strcasecmp(system_charset_info, host_str, host))
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index 20b8c7a4278..0838b805b35 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -955,8 +955,8 @@ static int mysql_prepare_table(THD *thd, HA_CREATE_INFO *create_info,
sql_field->length= dup_field->char_length;
sql_field->pack_length= dup_field->pack_length;
sql_field->key_length= dup_field->key_length;
- sql_field->create_length_to_internal_length();
sql_field->decimals= dup_field->decimals;
+ sql_field->create_length_to_internal_length();
sql_field->unireg_check= dup_field->unireg_check;
/*
We're making one field from two, the result field will have
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
index 4fcdca76c6f..65e18da97f1 100644
--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@@ -15864,6 +15864,99 @@ static void test_bug29306()
DBUG_VOID_RETURN;
}
+
+/**
+ Bug#31669 Buffer overflow in mysql_change_user()
+*/
+
+#define LARGE_BUFFER_SIZE 2048
+
+static void test_bug31669()
+{
+ int rc;
+ static char buff[LARGE_BUFFER_SIZE+1];
+#ifndef EMBEDDED_LIBRARY
+ static char user[USERNAME_LENGTH+1];
+ static char db[NAME_LEN+1];
+ static char query[LARGE_BUFFER_SIZE*2];
+#endif
+
+ DBUG_ENTER("test_bug31669");
+ myheader("test_bug31669");
+
+ rc= mysql_change_user(mysql, NULL, NULL, NULL);
+ DIE_UNLESS(rc);
+
+ rc= mysql_change_user(mysql, "", "", "");
+ DIE_UNLESS(rc);
+
+ memset(buff, 'a', sizeof(buff));
+
+ rc= mysql_change_user(mysql, buff, buff, buff);
+ DIE_UNLESS(rc);
+
+ rc = mysql_change_user(mysql, opt_user, opt_password, current_db);
+ DIE_UNLESS(!rc);
+
+#ifndef EMBEDDED_LIBRARY
+ memset(db, 'a', sizeof(db));
+ db[NAME_LEN]= 0;
+ strxmov(query, "CREATE DATABASE IF NOT EXISTS ", db, NullS);
+ rc= mysql_query(mysql, query);
+ myquery(rc);
+
+ memset(user, 'b', sizeof(user));
+ user[USERNAME_LENGTH]= 0;
+ memset(buff, 'c', sizeof(buff));
+ buff[LARGE_BUFFER_SIZE]= 0;
+ strxmov(query, "GRANT ALL PRIVILEGES ON *.* TO '", user, "'@'%' IDENTIFIED BY "
+ "'", buff, "' WITH GRANT OPTION", NullS);
+ rc= mysql_query(mysql, query);
+ myquery(rc);
+
+ rc= mysql_query(mysql, "FLUSH PRIVILEGES");
+ myquery(rc);
+
+ rc= mysql_change_user(mysql, user, buff, db);
+ DIE_UNLESS(!rc);
+
+ user[USERNAME_LENGTH-1]= 'a';
+ rc= mysql_change_user(mysql, user, buff, db);
+ DIE_UNLESS(rc);
+
+ user[USERNAME_LENGTH-1]= 'b';
+ buff[LARGE_BUFFER_SIZE-1]= 'd';
+ rc= mysql_change_user(mysql, user, buff, db);
+ DIE_UNLESS(rc);
+
+ buff[LARGE_BUFFER_SIZE-1]= 'c';
+ db[NAME_LEN-1]= 'e';
+ rc= mysql_change_user(mysql, user, buff, db);
+ DIE_UNLESS(rc);
+
+ db[NAME_LEN-1]= 'a';
+ rc= mysql_change_user(mysql, user, buff, db);
+ DIE_UNLESS(!rc);
+
+ rc= mysql_change_user(mysql, user + 1, buff + 1, db + 1);
+ DIE_UNLESS(rc);
+
+ rc = mysql_change_user(mysql, opt_user, opt_password, current_db);
+ DIE_UNLESS(!rc);
+
+ strxmov(query, "DROP DATABASE ", db, NullS);
+ rc= mysql_query(mysql, query);
+ myquery(rc);
+
+ strxmov(query, "DELETE FROM mysql.user WHERE User='", user, "'", NullS);
+ rc= mysql_query(mysql, query);
+ myquery(rc);
+ DIE_UNLESS(mysql_affected_rows(mysql) == 1);
+#endif
+
+ DBUG_VOID_RETURN;
+}
+
/*
Read and parse arguments and MySQL options from my.cnf
*/
@@ -16156,6 +16249,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug27592", test_bug27592 },
{ "test_bug29948", test_bug29948 },
{ "test_bug29306", test_bug29306 },
+ { "test_bug31669", test_bug31669 },
{ 0, 0 }
};
View Lorry Controller Status