Bug#42634: % character in query can cause mysqld signal 11 segfault

The problem is that a unfiltered user query was being passed as
the format string parameter of sql_print_warning which later
performs printf-like formatting, leading to crashes if the user
query contains formatting instructions (ie: %s). Also, it was
using THD::query as the source of the user query, but this
variable is not meaningful in some situations -- in a delayed
insert, it points to the table name.

The solution is to pass the user query as a parameter for the
format string and use the function parameter query_arg as the
source of the user query.

mysql-test/suite/binlog/r/binlog_unsafe.result:
  Add test case result for Bug#42634
mysql-test/suite/binlog/t/binlog_unsafe.test:
  Add test case for Bug#42634
sql/sql_class.cc:
  Don't pass the user query as a format string.

1 files changed, 7 insertions, 0 deletions

diff --git a/mysql-test/suite/binlog/r/binlog_unsafe.result b/mysql-test/suite/binlog/r/binlog_unsafe.result
index 1f7b217dc31..7c0980ba77c 100644
--- a/mysql-test/suite/binlog/r/binlog_unsafe.result
+++ b/mysql-test/suite/binlog/r/binlog_unsafe.result
@@ -220,3 +220,10 @@ Warning	1592	Statement is not safe to log in statement format.
 Warning	1592	Statement is not safe to log in statement format.
 DROP PROCEDURE p1;
 DROP TABLE t1;
+DROP TABLE IF EXISTS t1;
+CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100));
+INSERT INTO t1 VALUES ('a','b');
+UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1;
+Warnings:
+Warning	1592	Statement is not safe to log in statement format.
+DROP TABLE t1;