A fix and test case for Bug#5194 "Bulk Insert Failures with Prepared

Statements": - fix a couple of net->buff overruns in libmysql, - check in the server that statement parameter count is less than 65535 (maximum value supported by prepared statements protocol). libmysql/libmysql.c: Bug#5194 "Bulk Insert Failures with Prepared Statements": - clean up my_realloc_str() - ensure that net buffer has space when storing null bits and parameter typecodes. sql/net_serv.cc: - set net->last_errno if packet is too big, even on client (Why was it ifdefed before?) sql/sql_prepare.cc: Bug#5194 "Bulk Insert Failures with Prepared Statements": - if placeholder count is bigger than 65535, give error. We have only 2 bytes reserved for transferring placeholder count in 4.1 protocol. - can't add a proper error code and message in 4.1 because of possible merge difficulties." tests/client_test.c: A test case for Bug#5194 "Bulk Insert Failures with Prepared Statements".
2025-07-27 18:02:13 +03:00 · 2004-09-08 23:07:11 +04:00
parent a2e570ab39
commit d7a230677c
4 changed files with 211 additions and 10 deletions
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@ -1703,16 +1703,18 @@ static void stmt_update_metadata(MYSQL_STMT *stmt, MYSQL_ROWS *data);
 /**************** Misc utility functions ****************************/

 /*
-  Reallocate the NET package to be at least of 'length' bytes
+  Reallocate the NET package to have at least length bytes available.

  SYNPOSIS
-   my_realloc_str()
-   net                 The NET structure to modify
-   length              Ensure that net->buff is at least this big
+    my_realloc_str()
+    net                 The NET structure to modify.
+    length              Ensure that net->buff has space for at least
+                        this number of bytes.

  RETURN VALUES
-  0	ok
-  1	Error
+    0   Success.
+    1   Error, i.e. out of memory or requested packet size is bigger
+        than max_allowed_packet. The error code is stored in net->last_errno.
 */

 static my_bool my_realloc_str(NET *net, ulong length)
@ -2365,7 +2367,7 @@ static my_bool store_param(MYSQL_STMT *stmt, MYSQL_BIND *param)
    */
    if ((my_realloc_str(net, *param->length)))
    {
-      set_stmt_error(stmt, CR_OUT_OF_MEMORY, unknown_sqlstate);
+      set_stmt_error(stmt, net->last_errno, unknown_sqlstate);
      DBUG_RETURN(1);
    }
    (*param->store_param_func)(net, param);
@ -2427,6 +2429,11 @@ int cli_stmt_execute(MYSQL_STMT *stmt)
    net_clear(net);				/* Sets net->write_pos */
    /* Reserve place for null-marker bytes */
    null_count= (stmt->param_count+7) /8;
+    if (my_realloc_str(net, null_count + 1))
+    {
+      set_stmt_error(stmt, net->last_errno, unknown_sqlstate);
+      DBUG_RETURN(1);
+    }
    bzero((char*) net->write_pos, null_count);
    net->write_pos+= null_count;
    param_end= stmt->params + stmt->param_count;
@ -2435,6 +2442,11 @@ int cli_stmt_execute(MYSQL_STMT *stmt)
    *(net->write_pos)++= (uchar) stmt->send_types_to_server;
    if (stmt->send_types_to_server)
    {
+      if (my_realloc_str(net, 2 * stmt->param_count))
+      {
+        set_stmt_error(stmt, net->last_errno, unknown_sqlstate);
+        DBUG_RETURN(1);
+      }
      /*
 	Store types of parameters in first in first package
 	that is sent to the server.