From b1967ad723dd9f213099393aad13f1adec6cdc08 Mon Sep 17 00:00:00 2001 From: "evgen@moonbone.local" <> Date: Mon, 23 Jan 2006 21:51:32 +0300 Subject: [PATCH] Fixed bug #16510: Updating field named like '*name' caused server crash. When setup_fields() function finds field named '*' it expands it to the list of all table fields. It does so by checking that the first char of field_name is '*', but it doesn't checks that the '* is the only char. Due to this, when updating table with a field named like '*name', such field is wrongly treated as '*' and expanded. This leads to making list of fields to update being longer than list of the new values. Later, the fill_record() function crashes by dereferencing null when there is left fields to update, but no more values. Added check in the setup_fields() function which ensures that the field expanding will be done only when '*' is the only char in the field name. --- mysql-test/r/update.result | 4 ++++ mysql-test/t/update.test | 8 ++++++++ sql/sql_base.cc | 1 + 3 files changed, 13 insertions(+) diff --git a/mysql-test/r/update.result b/mysql-test/r/update.result index 9ca92fe75df..46cf2d161ef 100644 --- a/mysql-test/r/update.result +++ b/mysql-test/r/update.result @@ -216,3 +216,7 @@ select * from t1; a b 0 2 drop table t1; +create table t1(f1 int, `*f2` int); +insert into t1 values (1,1); +update t1 set `*f2`=1; +drop table t1; diff --git a/mysql-test/t/update.test b/mysql-test/t/update.test index 6c7b450f763..fcd17dc75f0 100644 --- a/mysql-test/t/update.test +++ b/mysql-test/t/update.test @@ -174,3 +174,11 @@ insert into t1 values (0, '1'); update t1 set b = b + 1 where a = 0; select * from t1; drop table t1; + +# +# Bug #16510 Updating field named like '*name' caused server crash +# +create table t1(f1 int, `*f2` int); +insert into t1 values (1,1); +update t1 set `*f2`=1; +drop table t1; diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 4f52904a61e..42a2e692d21 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -1983,6 +1983,7 @@ int setup_fields(THD *thd, TABLE_LIST *tables, List &fields, */ if (item->type() == Item::FIELD_ITEM && ((Item_field*) item)->field_name[0] == '*' && + ((Item_field*) item)->field_name[1] == 0 && !((Item_field*) item)->field) { uint elem=fields.elements;