database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug#42634: % character in query can cause mysqld signal 11 segfault

Browse Source 
The problem is that a unfiltered user query was being passed as
the format string parameter of sql_print_warning which later
performs printf-like formatting, leading to crashes if the user
query contains formatting instructions (ie: %s). Also, it was
using THD::query as the source of the user query, but this
variable is not meaningful in some situations -- in a delayed
insert, it points to the table name.

The solution is to pass the user query as a parameter for the
format string and use the function parameter query_arg as the
source of the user query.

mysql-test/suite/binlog/r/binlog_unsafe.result:
  Add test case result for Bug#42634
mysql-test/suite/binlog/t/binlog_unsafe.test:
  Add test case for Bug#42634
sql/sql_class.cc:
  Don't pass the user query as a format string.
This commit is contained in:
Davi Arnaut
2009-02-09 16:17:58 -02:00
parent 461cad77b4
commit bab4ff1ae5
3 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
mysql-test/suite/binlog/r/binlog_unsafe.result
View File

@ -220,3 +220,10 @@ Warning 1592 Statement is not safe to log in statement format.
Warning 1592 Statement is not safe to log in statement format.
DROP PROCEDURE p1;
DROP TABLE t1;
DROP TABLE IF EXISTS t1;
CREATE TABLE t1 (a VARCHAR(100), b VARCHAR(100));
INSERT INTO t1 VALUES ('a','b');
UPDATE t1 SET b = '%s%s%s%s%s%s%s%s%s%s%s%s%s%s' WHERE a = 'a' LIMIT 1;
Warnings:
Warning 1592 Statement is not safe to log in statement format.
DROP TABLE t1;