Percona Server moved to https://jira.percona.com/projects/PS

Merge lp:~percona-dev/percona-server/release-5.1.47-11-bug580324 into lp:percona-server/release-5.1.47-11

  1. release-5.1.47-11-bug580324
  2. Merge into release-5.1.47-11
Proposed by Oleg Tsarev
Status: Merged
Approved by: Vadim Tkachenko
Approved revision: no longer in the source branch.
Merged at revision: 13
Proposed branch: lp:~percona-dev/percona-server/release-5.1.47-11-bug580324
Merge into: lp:percona-server/release-5.1.47-11
Diff against target: 112 lines (+99/-0)
2 files modified
bug580324.patch (+98/-0)
series (+1/-0)
To merge this branch: bzr merge lp:~percona-dev/percona-server/release-5.1.47-11-bug580324
Reviewer Review Type Date Requested Status
Vadim Tkachenko Approve
Review via email: mp+26215@code.launchpad.net

Description of the change

security fix for bug 580324.
I was forced to remove some code (in addition to the patch) in favor of code from the patch

To post a comment you must log in.
Revision history for this message
Vadim Tkachenko (vadim-tk) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'bug580324.patch'
2--- bug580324.patch 1970-01-01 00:00:00 +0000
3+++ bug580324.patch 2010-05-27 17:36:43 +0000
4@@ -0,0 +1,98 @@
5+diff -Nur a/sql/sql_base.cc b/sql/sql_base.cc
6+--- a/sql/sql_base.cc 2010-05-27 19:54:18.000000000 +0400
7++++ b/sql/sql_base.cc 2010-05-27 19:55:20.000000000 +0400
8+@@ -233,8 +233,12 @@
9+ uint create_table_def_key(THD *thd, char *key, TABLE_LIST *table_list,
10+ bool tmp_table)
11+ {
12+- uint key_length= (uint) (strmov(strmov(key, table_list->db)+1,
13+- table_list->table_name)-key)+1;
14++ char *db_end= strnmov(key, table_list->db, MAX_DBKEY_LENGTH - 2);
15++ *db_end++= '\0';
16++ char *table_end= strnmov(db_end, table_list->table_name,
17++ key + MAX_DBKEY_LENGTH - 1 - db_end);
18++ *table_end++= '\0';
19++ uint key_length= (uint) (table_end-key);
20+ if (tmp_table)
21+ {
22+ int4store(key + key_length, thd->server_id);
23+diff -Nur a/sql/sql_parse.cc b/sql/sql_parse.cc
24+--- a/sql/sql_parse.cc 2010-05-27 19:54:18.000000000 +0400
25++++ b/sql/sql_parse.cc 2010-05-27 20:03:20.000000000 +0400
26+@@ -1299,10 +1299,12 @@
27+ break;
28+ #else
29+ {
30+- char *fields, *packet_end= packet + packet_length, *arg_end;
31++ char *fields, *packet_end= packet + packet_length, *wildcard;
32+ /* Locked closure of all tables */
33+ TABLE_LIST table_list;
34+- LEX_STRING conv_name;
35++ char db_buff[NAME_LEN+1];
36++ uint32 db_length;
37++ uint dummy_errors;
38+
39+ /* used as fields initializator */
40+ lex_start(thd);
41+@@ -1314,26 +1316,22 @@
42+ /*
43+ We have name + wildcard in packet, separated by endzero
44+ */
45+- arg_end= strend(packet);
46+- uint arg_length= arg_end - packet;
47+-
48+- /* Check given table name length. */
49+- if (arg_length >= packet_length || arg_length > NAME_LEN)
50++ wildcard= strend(packet);
51++ db_length= wildcard - packet;
52++ wildcard++;
53++ uint query_length= (uint) (packet_end - wildcard); // Don't count end \0
54++ if (db_length > NAME_LEN || query_length > NAME_LEN)
55+ {
56+ my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
57+ break;
58+ }
59+- thd->convert_string(&conv_name, system_charset_info,
60+- packet, arg_length, thd->charset());
61+- if (check_table_name(conv_name.str, conv_name.length, FALSE))
62+- {
63+- /* this is OK due to convert_string() null-terminating the string */
64+- my_error(ER_WRONG_TABLE_NAME, MYF(0), conv_name.str);
65++ db_length= copy_and_convert(db_buff, sizeof(db_buff)-1,
66++ system_charset_info, packet, db_length,
67++ thd->charset(), &dummy_errors);
68++ db_buff[db_length]= '\0';
69++ table_list.alias= table_list.table_name= db_buff;
70++ if (!(fields= (char *) thd->memdup(wildcard, query_length + 1)))
71+ break;
72+- }
73+-
74+- table_list.alias= table_list.table_name= conv_name.str;
75+- packet= arg_end + 1;
76+
77+ if (is_schema_db(table_list.db, table_list.db_length))
78+ {
79+@@ -1342,9 +1340,6 @@
80+ table_list.schema_table= schema_table;
81+ }
82+
83+- uint query_length= (uint) (packet_end - packet); // Don't count end \0
84+- if (!(fields= (char *) thd->memdup(packet, query_length + 1)))
85+- break;
86+ thd->set_query(fields, query_length);
87+ general_log_print(thd, command, "%s %s", table_list.table_name, fields);
88+ if (lower_case_table_names)
89+diff -Nur a/strings/ctype-utf8.c b/strings/ctype-utf8.c
90+--- a/strings/ctype-utf8.c 2010-05-06 19:28:05.000000000 +0400
91++++ b/strings/ctype-utf8.c 2010-05-27 20:04:20.000000000 +0400
92+@@ -4116,6 +4116,10 @@
93+ {
94+ int code;
95+ char hex[]= "0123456789abcdef";
96++
97++ if (s >= e)
98++ return MY_CS_TOOSMALL;
99++
100+ if (wc < 128 && filename_safe_char[wc])
101+ {
102+ *s= (uchar) wc;
103
104=== modified file 'series'
105--- series 2010-05-27 09:06:58 +0000
106+++ series 2010-05-27 17:36:43 +0000
107@@ -37,3 +37,4 @@
108 mysql-test.diff
109 percona-support.patch
110 innodb_deadlock_count.patch
111+bug580324.patch
112\ No newline at end of file

Subscribers

People subscribed via source and target branches

to all changes: