InnoDB cleanup: fixing buffer overflows and quoting of quotes

innobase/dict/dict0crea.c:
  Remove unneeded prototypes for static functions
  Remove unused parameters from some functions
  Replace some assertions with compile-time checks
  dict_create_add_foreigns_to_dictionary():
  allocate space dynamically for the SQL, and quote quotes
innobase/dict/dict0dict.c:
  Remove unnecessary prototypes for static functions
  dict_tables_have_same_db(): Remove length limitation
  dict_remove_db_name(): Use strchr()
  dict_get_db_name_len(): Use strchr()
  Replace mem_heap_alloc()+strlen()+memcpy() with mem_heap_strdup()
  Remove unnecessary strlen() calls
  Allocate space dynamically for generated strings
  dict_scan_id(): allow quotes within quoted strings
innobase/dict/dict0load.c:
  Remove unnecessary strlen() calls
  Replace mem_heap_alloc()+strlen()+memcpy() with mem_heap_strdup()
innobase/dict/dict0mem.c:
  Replace mem_heap_alloc()+strlen()+memcpy() with mem_heap_strdup()
innobase/eval/eval0eval.c:
  Make TO_CHAR() work with any machine word width
innobase/fil/fil0fil.c:
  Replace mem_alloc()+strlen()+strcpy() with mem_strdup()
innobase/ibuf/ibuf0ibuf.c:
  Make some global variables static
  Add #ifdef UNIV_IBUF_DEBUG around debug statements
innobase/include/data0data.h:
  Add #ifdef UNIV_DEBUG around dtuple_validate()
innobase/include/data0data.ic:
  Replace = with == in ut_ad(tuple->magic_n == DATA_TUPLE_MAGIC_N)
innobase/include/dict0dict.h:
  Add const qualifiers
innobase/include/lock0lock.h:
  Add UL suffixes to unsigned long masks
innobase/include/log0log.h:
  Remove unused parameter "type" of log_group_write_buf()
innobase/include/mem0mem.h:
  Add mem_strdup(), mem_strdupl(), mem_strdupq(), mem_heap_strdup(),
  and mem_heap_strdupl()
innobase/include/mem0mem.ic:
  Add mem_strdup(), mem_strdupl(), mem_strdupq(), mem_heap_strdup(),
  and mem_heap_strdupl()
innobase/include/row0uins.h:
  Remove unused parameter "thr" of row_undo_ins()
innobase/include/row0undo.h:
  Remvoe unused parameter "thr" of row_undo_search_clust_to_pcur()
innobase/include/ut0byte.h:
  Add const qualifier to ut_cpy_in_lower_case()
  Remove parameter "len" of ut_cmp_in_lower_case()
innobase/include/ut0mem.h:
  Add ut_strlenq(), ut_strcpyq() and ut_memcpyq()
innobase/include/ut0mem.ic:
  Add ut_strlenq()
innobase/include/ut0ut.h:
  Declare ut_sprintf() as a printf-style function
innobase/lock/lock0lock.c:
  lock_clust_rec_modify_check_and_lock(): Remove unused variable "trx"
innobase/log/log0log.c:
  Remove unused parameters
innobase/log/log0recv.c:
  Remove parameter "type" from log_group_write_buf()
innobase/mem/mem0mem.c:
  Simplify the initialization of block->init_block
innobase/mtr/mtr0log.c:
  Add a debug assertion to mlog_parse_initial_log_record()
innobase/page/page0cur.c:
  Add debug assertion to page_cur_insert_rec_write_log()
  Remove hard-coded buffer size in page_cur_parse_insert_rec()
innobase/page/page0page.c:
  Remove unneeded variable rec
innobase/pars/pars0opt.c:
  Correct a potential buffer overflow
innobase/pars/pars0pars.c:
  Replace mem_heap_alloc()+strlen()+memcpy() with mem_heap_strdup()
innobase/row/row0ins.c:
  Replace parameter "thr" with "trx" in row_ins_foreign_report_add_err()
  Remove unnecessary strlen() call
  Use strchr()
innobase/row/row0mysql.c:
  Add row_mysql_is_recovered_tmp_table()
  Add row_mysql_is_system_table()
  Compare reserved table names with exact match
  Use strstr() and strchr() and mem_strdupl()
  Compute space needed for generated SQL, and allocate it dynamically
innobase/row/row0purge.c:
  Remove unused parameters "thr"
innobase/row/row0row.c:
  Simplify row_get_clust_rec()
innobase/row/row0uins.c:
  Remove unused parameters "thr"
innobase/row/row0umod.c:
  Remove unused variable "index"
  row_undo_mod_del_unmark_sec_and_undo_update():
   Remove parameter "node" and variable "rec"
  Remove unused parameters "thr"
innobase/row/row0undo.c:
  Remove unused parameters "thr"
innobase/srv/srv0srv.c:
  Replace UT_NOT_USED() with __attribute__((unused))
innobase/srv/srv0start.c:
  Remove unnecessary strlen() calls
  Remove unused parameter "create_new_db" of open_or_create_log_file()
innobase/trx/trx0roll.c:
  Replace mem_alloc()+strlen()+memcpy() with mem_strdup()
innobase/trx/trx0sys.c:
  Remove unnecessary strlen() call
innobase/ut/ut0byte.c:
  Add const qualifier to ut_cpy_in_lower_case()
  Remove parameter "len" of ut_cmp_in_lower_case()
innobase/ut/ut0mem.c:
  Add ut_strlenq() and ut_memcpyq()
sql/ha_innodb.cc:
  Remove parameter "len" of ut_cmp_in_lower_case()

1 files changed, 77 insertions, 111 deletions

diff --git a/innobase/dict/dict0crea.c b/innobase/dict/dict0crea.c
index 48fcb9c1e79..967818a3784 100644
--- a/innobase/dict/dict0crea.c
+++ b/innobase/dict/dict0crea.c
@@ -37,67 +37,6 @@ static
 dtuple_t*
 dict_create_sys_tables_tuple(
 /*=========================*/
-				/* out: the tuple which should be inserted */
-	dict_table_t*	table, 	/* in: table */
-	mem_heap_t*	heap);	/* in: memory heap from which the memory for
-				the built tuple is allocated */
-/*********************************************************************
-Based on a table object, this function builds the entry to be inserted
-in the SYS_COLUMNS system table. */
-static
-dtuple_t*
-dict_create_sys_columns_tuple(
-/*==========================*/
-				/* out: the tuple which should be inserted */
-	dict_table_t*	table, 	/* in: table */
-	ulint		i,	/* in: column number */
-	mem_heap_t*	heap);	/* in: memory heap from which the memory for
-				the built tuple is allocated */
-/*********************************************************************
-Based on an index object, this function builds the entry to be inserted
-in the SYS_INDEXES system table. */
-static
-dtuple_t*
-dict_create_sys_indexes_tuple(
-/*==========================*/
-				/* out: the tuple which should be inserted */
-	dict_index_t*	index, 	/* in: index */
-	mem_heap_t*	heap,	/* in: memory heap from which the memory for
-				the built tuple is allocated */
-	trx_t*		trx);	/* in: transaction handle */
-/*********************************************************************
-Based on an index object, this function builds the entry to be inserted
-in the SYS_FIELDS system table. */
-static
-dtuple_t*
-dict_create_sys_fields_tuple(
-/*=========================*/
-				/* out: the tuple which should be inserted */
-	dict_index_t*	index, 	/* in: index */
-	ulint		i,	/* in: field number */
-	mem_heap_t*	heap);	/* in: memory heap from which the memory for
-				the built tuple is allocated */
-/*********************************************************************
-Creates the tuple with which the index entry is searched for
-writing the index tree root page number, if such a tree is created. */
-static
-dtuple_t*
-dict_create_search_tuple(
-/*=====================*/
-				/* out: the tuple for search */
-	dtuple_t*	tuple,	/* in: the tuple inserted in the SYS_INDEXES
-				table */
-	mem_heap_t*	heap);	/* in: memory heap from which the memory for
-				the built tuple is allocated */
-
-/*********************************************************************
-Based on a table object, this function builds the entry to be inserted
-in the SYS_TABLES system table. */
-static
-dtuple_t*
-dict_create_sys_tables_tuple(
-/*=========================*/
-				/* out: the tuple which should be inserted */
 	dict_table_t*	table, 	/* in: table */
 	mem_heap_t*	heap)	/* in: memory heap from which the memory for
 				the built tuple is allocated */
@@ -331,9 +270,8 @@ dict_create_sys_indexes_tuple(
 /*==========================*/
 				/* out: the tuple which should be inserted */
 	dict_index_t*	index, 	/* in: index */
-	mem_heap_t*	heap,	/* in: memory heap from which the memory for
+	mem_heap_t*	heap)	/* in: memory heap from which the memory for
 				the built tuple is allocated */
-	trx_t*		trx)	/* in: transaction handle */
 {
 	dict_table_t*	sys_indexes;
 	dict_table_t*	table;
@@ -341,7 +279,6 @@ dict_create_sys_indexes_tuple(
 	dfield_t*	dfield;
 	byte*		ptr;
 
-	UT_NOT_USED(trx);
 #ifdef UNIV_SYNC_DEBUG
 	ut_ad(mutex_own(&(dict_sys->mutex)));
 #endif /* UNIV_SYNC_DEBUG */
@@ -387,7 +324,9 @@ dict_create_sys_indexes_tuple(
 	dfield_set_data(dfield, ptr, 4);
 	/* 7: SPACE --------------------------*/
 
-	ut_a(DICT_SYS_INDEXES_SPACE_NO_FIELD == 7);
+#if DICT_SYS_INDEXES_SPACE_NO_FIELD != 7
+#error "DICT_SYS_INDEXES_SPACE_NO_FIELD != 7"
+#endif
 
 	dfield = dtuple_get_nth_field(entry, 5);
 
@@ -397,7 +336,9 @@ dict_create_sys_indexes_tuple(
 	dfield_set_data(dfield, ptr, 4);
 	/* 8: PAGE_NO --------------------------*/
 
-	ut_a(DICT_SYS_INDEXES_PAGE_NO_FIELD == 8);
+#if DICT_SYS_INDEXES_PAGE_NO_FIELD != 8
+#error "DICT_SYS_INDEXES_PAGE_NO_FIELD != 8"
+#endif
 
 	dfield = dtuple_get_nth_field(entry, 6);
 
@@ -565,8 +506,7 @@ dict_build_index_def_step(
 
 	index->page_no = FIL_NULL;
 	
-	row = dict_create_sys_indexes_tuple(index, node->heap,
-							thr_get_trx(thr));
+	row = dict_create_sys_indexes_tuple(index, node->heap);
 	node->ind_row = row;
 
 	ins_node_set_new_row(node->ind_def, row);
@@ -602,7 +542,6 @@ ulint
 dict_create_index_tree_step(
 /*========================*/
 				/* out: DB_SUCCESS or DB_OUT_OF_FILE_SPACE */
-	que_thr_t*	thr,	/* in: query thread */
 	ind_node_t*	node)	/* in: index create node */
 {
 	dict_index_t*	index;
@@ -615,7 +554,6 @@ dict_create_index_tree_step(
 #ifdef UNIV_SYNC_DEBUG
 	ut_ad(mutex_own(&(dict_sys->mutex)));
 #endif /* UNIV_SYNC_DEBUG */
-	UT_NOT_USED(thr);
 
 	index = node->index;	
 	table = node->table;
@@ -963,7 +901,7 @@ dict_create_index_step(
 
 	if (node->state == INDEX_CREATE_INDEX_TREE) {
 
-		err = dict_create_index_tree_step(thr, node);
+		err = dict_create_index_tree_step(node);
 
 		if (err != DB_SUCCESS) {
 
@@ -1166,11 +1104,22 @@ dict_create_add_foreigns_to_dictionary(
 	que_t*		graph;
 	ulint		number	= start_id + 1;
 	ulint		len;
-	ulint		namelen;
 	ulint		error;
 	char*		ebuf	= dict_foreign_err_buf;
 	ulint		i;
-	char		buf[10000];
+	char*		sql;
+	char*		sqlend;
+	/* This procedure builds an InnoDB stored procedure which will insert
+	the necessary rows into SYS_FOREIGN and SYS_FOREIGN_COLS. */
+	static const char str1[] = "PROCEDURE ADD_FOREIGN_DEFS_PROC () IS\n"
+	"BEGIN\n"
+	"INSERT INTO SYS_FOREIGN VALUES(";
+	static const char str2[] = ");\n";
+	static const char str3[] =
+	"INSERT INTO SYS_FOREIGN_COLS VALUES(";
+	static const char str4[] =
+	"COMMIT WORK;\n"
+	"END;\n";
 
 #ifdef UNIV_SYNC_DEBUG
 	ut_ad(mutex_own(&(dict_sys->mutex)));
@@ -1190,58 +1139,75 @@ loop:
 		return(DB_SUCCESS);
 	}
 
-	/* Build an InnoDB stored procedure which will insert the necessary
-	rows to SYS_FOREIGN and SYS_FOREIGN_COLS */
-
-	len = 0;
-	
-	len += sprintf(buf,
-	"PROCEDURE ADD_FOREIGN_DEFS_PROC () IS\n"
-	"BEGIN\n");
-
-	namelen = strlen(table->name);
-	ut_a(namelen < MAX_TABLE_NAME_LEN);
-
 	if (foreign->id == NULL) {
 		/* Generate a new constraint id */
-		foreign->id = mem_heap_alloc(foreign->heap, namelen + 20);
+		ulint	namelen	= strlen(table->name);
+		char*	id	= mem_heap_alloc(foreign->heap, namelen + 20);
 		/* no overflow if number < 1e13 */
-		sprintf(foreign->id, "%s_ibfk_%lu", table->name, number);
-		number++;
+		sprintf(id, "%s_ibfk_%lu", table->name, number++);
+		foreign->id = id;
 	}
 
-	ut_a(strlen(foreign->id) < MAX_IDENTIFIER_LEN);
-	ut_a(len < (sizeof buf)
-		- 46 - 2 * MAX_TABLE_NAME_LEN - MAX_IDENTIFIER_LEN - 20);
+	len = (sizeof str1) + (sizeof str2) + (sizeof str4) - 3
+		+ 9/* ' and , chars */ + 10/* 32-bit integer */
+		+ ut_strlenq(foreign->id, '\'') * (foreign->n_fields + 1)
+		+ ut_strlenq(table->name, '\'')
+		+ ut_strlenq(foreign->referenced_table_name, '\'');
+
+	for (i = 0; i < foreign->n_fields; i++) {
+		len += 9/* ' and , chars */ + 10/* 32-bit integer */
+			+ (sizeof str3) + (sizeof str2) - 2
+			+ ut_strlenq(foreign->foreign_col_names[i], '\'')
+			+ ut_strlenq(foreign->referenced_col_names[i], '\'');
+	}
 
-	len += sprintf(buf + len,
-	"INSERT INTO SYS_FOREIGN VALUES('%s', '%s', '%s', %lu);\n",
-					foreign->id,
-					table->name,
-					foreign->referenced_table_name,
-					foreign->n_fields
-					+ (foreign->type << 24));
+	sql = sqlend = mem_alloc(len + 1);
+
+	/* INSERT INTO SYS_FOREIGN VALUES(...); */
+	memcpy(sqlend, str1, (sizeof str1) - 1);
+	sqlend += (sizeof str1) - 1;
+	*sqlend++ = '\'';
+	sqlend = ut_strcpyq(sqlend, '\'', foreign->id);
+	*sqlend++ = '\'', *sqlend++ = ',', *sqlend++ = '\'';
+	sqlend = ut_strcpyq(sqlend, '\'', table->name);
+	*sqlend++ = '\'', *sqlend++ = ',', *sqlend++ = '\'';
+	sqlend = ut_strcpyq(sqlend, '\'', foreign->referenced_table_name);
+	*sqlend++ = '\'', *sqlend++ = ',';
+	sqlend += sprintf(sqlend, "%010lu",
+			foreign->n_fields + (foreign->type << 24));
+	memcpy(sqlend, str2, (sizeof str2) - 1);
+	sqlend += (sizeof str2) - 1;
 
 	for (i = 0; i < foreign->n_fields; i++) {
-		ut_a(len < (sizeof buf)
-			- 51 - 2 * MAX_COLUMN_NAME_LEN
-			- MAX_IDENTIFIER_LEN - 20);
-
-		len += sprintf(buf + len,
-	"INSERT INTO SYS_FOREIGN_COLS VALUES('%s', %lu, '%s', '%s');\n",
-					foreign->id,
-					i,
-					foreign->foreign_col_names[i],
-					foreign->referenced_col_names[i]);
+		/* INSERT INTO SYS_FOREIGN_COLS VALUES(...); */
+		memcpy(sqlend, str3, (sizeof str3) - 1);
+		sqlend += (sizeof str3) - 1;
+		*sqlend++ = '\'';
+		sqlend = ut_strcpyq(sqlend, '\'', foreign->id);
+		*sqlend++ = '\''; *sqlend++ = ',';
+		sqlend += sprintf(sqlend, "%010lu", i);
+		*sqlend++ = ','; *sqlend++ = '\'';
+		sqlend = ut_strcpyq(sqlend, '\'',
+			foreign->foreign_col_names[i]);
+		*sqlend++ = '\''; *sqlend++ = ','; *sqlend++ = '\'';
+		sqlend = ut_strcpyq(sqlend, '\'',
+			foreign->referenced_col_names[i]);
+		*sqlend++ = '\'';
+		memcpy(sqlend, str2, (sizeof str2) - 1);
+		sqlend += (sizeof str2) - 1;
 	}
 
-	ut_a(len < (sizeof buf) - 19);
-	len += sprintf(buf + len,"COMMIT WORK;\nEND;\n");
+	memcpy(sqlend, str4, sizeof str4);
+	sqlend += sizeof str4;
 
-	graph = pars_sql(buf);
+	ut_a(sqlend == sql + len + 1);
+
+	graph = pars_sql(sql);
 
 	ut_a(graph);
 
+	mem_free(sql);
+
 	graph->trx = trx;
 	trx->graph = NULL;