database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-15444 Querying I_S.PARAMETERS can crash with a corrupted mysql.proc

Browse Source
This commit is contained in:
Alexander Barkov
2018-03-02 11:31:27 +04:00
parent 4025cfaec0
commit 88a9d4ab42
4 changed files with 112 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
mysql-test/r/sp-destruct.result
View File

@ -171,3 +171,60 @@ create database mysqltest1;
create procedure mysqltest1.foo() select "foo"; create procedure mysqltest1.foo() select "foo";
update mysql.proc set name='' where db='mysqltest1'; update mysql.proc set name='' where db='mysqltest1';
drop database mysqltest1; drop database mysqltest1;
#
# MDEV-15444 Querying I_S.PARAMETERS can crash with a corrupted mysql.proc
#
CREATE OR REPLACE FUNCTION f1 (a INT) RETURNS INT RETURN 10;
CREATE OR REPLACE FUNCTION f2 (a INT) RETURNS INT RETURN 10;
SELECT
@type0:=COLUMN_TYPE AS t0,
@type1:=REPLACE(COLUMN_TYPE,')',',''XXX'')') AS t1
FROM INFORMATION_SCHEMA.COLUMNS
WHERE table_schema='mysql' AND table_name='proc' AND column_name='type';
t0 enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY')
t1 enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY','XXX')
EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type1);
SHOW COLUMNS IN mysql.proc LIKE 'type';
Field Type Null Key Default Extra
type enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY','XXX') NO PRI NULL
UPDATE mysql.proc SET type='XXX' WHERE name='f1' AND db='test';
SELECT * FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='test';
SPECIFIC_CATALOG def
SPECIFIC_SCHEMA test
SPECIFIC_NAME f2
ORDINAL_POSITION 0
PARAMETER_MODE NULL
PARAMETER_NAME NULL
DATA_TYPE int
CHARACTER_MAXIMUM_LENGTH NULL
CHARACTER_OCTET_LENGTH NULL
NUMERIC_PRECISION 10
NUMERIC_SCALE 0
DATETIME_PRECISION NULL
CHARACTER_SET_NAME NULL
COLLATION_NAME NULL
DTD_IDENTIFIER int(11)
ROUTINE_TYPE FUNCTION
SPECIFIC_CATALOG def
SPECIFIC_SCHEMA test
SPECIFIC_NAME f2
ORDINAL_POSITION 1
PARAMETER_MODE IN
PARAMETER_NAME a
DATA_TYPE int
CHARACTER_MAXIMUM_LENGTH NULL
CHARACTER_OCTET_LENGTH NULL
NUMERIC_PRECISION 10
NUMERIC_SCALE 0
DATETIME_PRECISION NULL
CHARACTER_SET_NAME NULL
COLLATION_NAME NULL
DTD_IDENTIFIER int(11)
ROUTINE_TYPE FUNCTION
UPDATE mysql.proc SET type='FUNCTION' WHERE name='f1' AND db='test';
EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type0);
SHOW COLUMNS IN mysql.proc LIKE 'type';
Field Type Null Key Default Extra
type enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY') NO PRI NULL
DROP FUNCTION f1;
DROP FUNCTION f2;

35
mysql-test/t/sp-destruct.test
View File

@ -285,3 +285,38 @@ create database mysqltest1;
create procedure mysqltest1.foo() select "foo"; create procedure mysqltest1.foo() select "foo";
update mysql.proc set name='' where db='mysqltest1'; update mysql.proc set name='' where db='mysqltest1';
drop database mysqltest1; drop database mysqltest1;
--echo #
--echo # MDEV-15444 Querying I_S.PARAMETERS can crash with a corrupted mysql.proc
--echo #
CREATE OR REPLACE FUNCTION f1 (a INT) RETURNS INT RETURN 10;
CREATE OR REPLACE FUNCTION f2 (a INT) RETURNS INT RETURN 10;
# Get the current data type for mysql.proc.type
--vertical_results
SELECT
@type0:=COLUMN_TYPE AS t0,
@type1:=REPLACE(COLUMN_TYPE,')',',''XXX'')') AS t1
FROM INFORMATION_SCHEMA.COLUMNS
WHERE table_schema='mysql' AND table_name='proc' AND column_name='type';
--horizontal_results
# Change mysql.proc.type and update the record for 'f1'
EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type1);
SHOW COLUMNS IN mysql.proc LIKE 'type';
UPDATE mysql.proc SET type='XXX' WHERE name='f1' AND db='test';
# Check the I_S query
--vertical_results
SELECT * FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='test';
--horizontal_results
# Restore the record for 'f1' and restore mysql.proc.type
UPDATE mysql.proc SET type='FUNCTION' WHERE name='f1' AND db='test';
EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type0);
SHOW COLUMNS IN mysql.proc LIKE 'type';
DROP FUNCTION f1;
DROP FUNCTION f2;

12
sql/sp.h
View File

@ -122,6 +122,16 @@ public:
static const Sp_handler *handler(enum enum_sql_command cmd); static const Sp_handler *handler(enum enum_sql_command cmd);
static const Sp_handler *handler(stored_procedure_type type); static const Sp_handler *handler(stored_procedure_type type);
static const Sp_handler *handler(MDL_key::enum_mdl_namespace ns); static const Sp_handler *handler(MDL_key::enum_mdl_namespace ns);
/*
Return a handler only those SP objects that store
definitions in the mysql.proc system table
*/
static const Sp_handler *handler_mysql_proc(stored_procedure_type type)
{
const Sp_handler *sph= handler(type);
return sph ? sph->sp_handler_mysql_proc() : NULL;
}
static bool eq_routine_name(const LEX_CSTRING &name1, static bool eq_routine_name(const LEX_CSTRING &name1,
const LEX_CSTRING &name2) const LEX_CSTRING &name2)
{ {
@ -153,6 +163,7 @@ public:
return m_empty_body; return m_empty_body;
} }
virtual MDL_key::enum_mdl_namespace get_mdl_type() const= 0; virtual MDL_key::enum_mdl_namespace get_mdl_type() const= 0;
virtual const Sp_handler *sp_handler_mysql_proc() const { return this; }
virtual sp_cache **get_cache(THD *) const { return NULL; } virtual sp_cache **get_cache(THD *) const { return NULL; }
#ifndef NO_EMBEDDED_ACCESS_CHECKS #ifndef NO_EMBEDDED_ACCESS_CHECKS
virtual HASH *get_priv_hash() const { return NULL; } virtual HASH *get_priv_hash() const { return NULL; }
@ -434,6 +445,7 @@ public:
DBUG_ASSERT(0); DBUG_ASSERT(0);
return MDL_key::TRIGGER; return MDL_key::TRIGGER;
} }
const Sp_handler *sp_handler_mysql_proc() const { return NULL; }
}; };

13
sql/sql_show.cc
View File

@ -6155,9 +6155,11 @@ bool store_schema_params(THD *thd, TABLE *table, TABLE *proc_table,
proc_table->field[MYSQL_PROC_FIELD_NAME]->val_str_nopad(thd->mem_root, &name); proc_table->field[MYSQL_PROC_FIELD_NAME]->val_str_nopad(thd->mem_root, &name);
proc_table->field[MYSQL_PROC_FIELD_DEFINER]->val_str_nopad(thd->mem_root, &definer); proc_table->field[MYSQL_PROC_FIELD_DEFINER]->val_str_nopad(thd->mem_root, &definer);
sql_mode= (sql_mode_t) proc_table->field[MYSQL_PROC_FIELD_SQL_MODE]->val_int(); sql_mode= (sql_mode_t) proc_table->field[MYSQL_PROC_FIELD_SQL_MODE]->val_int();
sph= Sp_handler::handler((stored_procedure_type) proc_table->field[MYSQL_PROC_MYSQL_TYPE]->val_int()); sph= Sp_handler::handler_mysql_proc((stored_procedure_type)
proc_table->field[MYSQL_PROC_MYSQL_TYPE]->
val_int());
if (!sph) if (!sph)
sph= &sp_handler_procedure; DBUG_RETURN(0);
if (!full_access) if (!full_access)
full_access= !strcmp(sp_user, definer.str); full_access= !strcmp(sp_user, definer.str);
@ -6265,10 +6267,11 @@ bool store_schema_proc(THD *thd, TABLE *table, TABLE *proc_table,
proc_table->field[MYSQL_PROC_FIELD_DB]->val_str_nopad(thd->mem_root, &db); proc_table->field[MYSQL_PROC_FIELD_DB]->val_str_nopad(thd->mem_root, &db);
proc_table->field[MYSQL_PROC_FIELD_NAME]->val_str_nopad(thd->mem_root, &name); proc_table->field[MYSQL_PROC_FIELD_NAME]->val_str_nopad(thd->mem_root, &name);
proc_table->field[MYSQL_PROC_FIELD_DEFINER]->val_str_nopad(thd->mem_root, &definer); proc_table->field[MYSQL_PROC_FIELD_DEFINER]->val_str_nopad(thd->mem_root, &definer);
sph= Sp_handler::handler((stored_procedure_type) sph= Sp_handler::handler_mysql_proc((stored_procedure_type)
proc_table->field[MYSQL_PROC_MYSQL_TYPE]->val_int()); proc_table->field[MYSQL_PROC_MYSQL_TYPE]->
val_int());
if (!sph) if (!sph)
sph= &sp_handler_procedure; return 0;
if (!full_access) if (!full_access)
full_access= !strcmp(sp_user, definer.str); full_access= !strcmp(sp_user, definer.str);