From bab4ff1ae52762e5eeb828d89cc7cd3b6e94f3aa Mon Sep 17 00:00:00 2001 From: Davi Arnaut Date: Mon, 9 Feb 2009 16:17:58 -0200 Subject: Bug#42634: % character in query can cause mysqld signal 11 segfault The problem is that a unfiltered user query was being passed as the format string parameter of sql_print_warning which later performs printf-like formatting, leading to crashes if the user query contains formatting instructions (ie: %s). Also, it was using THD::query as the source of the user query, but this variable is not meaningful in some situations -- in a delayed insert, it points to the table name. The solution is to pass the user query as a parameter for the format string and use the function parameter query_arg as the source of the user query. mysql-test/suite/binlog/r/binlog_unsafe.result: Add test case result for Bug#42634 mysql-test/suite/binlog/t/binlog_unsafe.test: Add test case for Bug#42634 sql/sql_class.cc: Don't pass the user query as a format string. --- mysql-test/suite/binlog/r/binlog_unsafe.result | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'mysql-test/suite/binlog/r/binlog_unsafe.result') diff --git a/mysql-test/suite/binlog/r/binlog_unsafe.result b/mysql-test/suite/binlog/r/binlog_unsafe.result index 1f7b217dc31..7c0980ba77c 100644 --- a/mysql-test/suite/binlog/r/binlog_unsafe.result +++ b/mysql-test/suite/binlog/r/binlog_unsafe.result @@ -220,3 +220,10 @@ Warning 1592 Statement is not safe to log in statement format. Warning 1592 Statement is not safe to log in statement format. DROP PROCEDURE p1; DROP TABLE t1; +DROP TABLE IF EXISTS t1; +CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100)); +INSERT INTO t1 VALUES ('a','b'); +UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1; +Warnings: +Warning 1592 Statement is not safe to log in statement format. +DROP TABLE t1; -- cgit v1.2.1