diff options
| author | Nisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com> | 2013-01-12 11:13:37 +0530 |
|---|---|---|
| committer | Nisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com> | 2013-01-12 11:13:37 +0530 |
| commit | 3d9d0e7766d4195bbe40dbac8d85abcfe343beb0 (patch) | |
| tree | a5d55ed844d1f9fd1c08f0e0cd4a6834b5eab058 | |
| parent | 01094a4b13095175080b073e804866621377a16e (diff) | |
| download | mariadb-git-3d9d0e7766d4195bbe40dbac8d85abcfe343beb0.tar.gz | |
BUG#11757250: REPLACE(...) INSIDE A STORED PROCEDURE.
Analysis:
--------
REPLACE operation provides incorrect output when
user variable is supplied as an argument and there
are multiple rows on which the operation is performed.
Consider the example below:
SET @var='(( 00000000 ++ 00000000 ))';
SELECT REPLACE(@var, '00000000', table_name) AS a FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='mysql';
Invalid output:
+---------------------------------------+
| REPLACE(@var, '00000000', TABLE_NAME) |
+---------------------------------------+
| (( columns_priv ++ columns_priv )) |
| (( columns_priv ++ columns_priv )) |
......
......
| (( columns_priv ++ columns_priv )) |
| (( columns_priv ++ columns_priv )) |
| (( columns_priv ++ columns_priv )) |
+---------------------------------------+
The user argument supplied as the string to REPLACE
operation is overwritten after the first iteration
to '(( columns_priv ++ columns_priv ))'.
The overwritten string after the first iteration
is used for the subsequent REPLACE iteration. Since
the pattern string is not found, it returns invalid
output as mentioned above.
Fix:
---
If the Alloced_length is zero, realloc() and create a
copy of the string which is then used for the REPLACE
operation for every iteration.
| -rw-r--r-- | client/sql_string.cc | 2 | ||||
| -rw-r--r-- | sql/sql_string.cc | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/client/sql_string.cc b/client/sql_string.cc index 4a0f2df927b..010da7eb517 100644 --- a/client/sql_string.cc +++ b/client/sql_string.cc @@ -761,7 +761,7 @@ String *copy_if_not_alloced(String *to,String *from,uint32 from_length) { if (from->Alloced_length >= from_length) return from; - if (from->alloced || !to || from == to) + if ((from->alloced && (from->Alloced_length != 0)) || !to || from == to) { (void) from->realloc(from_length); return from; diff --git a/sql/sql_string.cc b/sql/sql_string.cc index 4dbc2d77206..10bd3511cd2 100644 --- a/sql/sql_string.cc +++ b/sql/sql_string.cc @@ -796,7 +796,7 @@ String *copy_if_not_alloced(String *to,String *from,uint32 from_length) { if (from->Alloced_length >= from_length) return from; - if (from->alloced || !to || from == to) + if ((from->alloced && (from->Alloced_length != 0)) || !to || from == to) { (void) from->realloc(from_length); return from; |