InnoDB cleanup: fixing buffer overflows and quoting of quotes

13 files changed, 233 insertions, 31 deletions

diff --git a/innobase/include/data0data.h b/innobase/include/data0data.h
index c4e93bec738..b100ef5b583 100644
--- a/innobase/include/data0data.h
+++ b/innobase/include/data0data.h
@@ -294,6 +294,7 @@ dtuple_check_typed_no_assert(
 /*=========================*/
 				/* out: TRUE if ok */
 	dtuple_t*	tuple);	/* in: tuple */
+#ifdef UNIV_DEBUG
 /**************************************************************
 Validates the consistency of a tuple which must be complete, i.e,
 all fields must have been set. */
@@ -303,6 +304,7 @@ dtuple_validate(
 /*============*/
 				/* out: TRUE if ok */
 	dtuple_t*	tuple);	/* in: tuple */
+#endif /* UNIV_DEBUG */
 /*****************************************************************
 Pretty prints a dfield value according to its data type. */
 
diff --git a/innobase/include/data0data.ic b/innobase/include/data0data.ic
index def80d3f430..697a272ccd6 100644
--- a/innobase/include/data0data.ic
+++ b/innobase/include/data0data.ic
@@ -299,7 +299,7 @@ dtuple_get_data_size(
 
 	ut_ad(tuple);
 	ut_ad(dtuple_check_typed(tuple));
-	ut_ad(tuple->magic_n = DATA_TUPLE_MAGIC_N);
+	ut_ad(tuple->magic_n == DATA_TUPLE_MAGIC_N);
 
 	n_fields = tuple->n_fields;
 
@@ -355,7 +355,7 @@ dtuple_fold(
 	ulint		fold;
 
 	ut_ad(tuple);
-	ut_ad(tuple->magic_n = DATA_TUPLE_MAGIC_N);
+	ut_ad(tuple->magic_n == DATA_TUPLE_MAGIC_N);
 	ut_ad(dtuple_check_typed(tuple));
 
 	fold = ut_fold_dulint(tree_id);
diff --git a/innobase/include/dict0dict.h b/innobase/include/dict0dict.h
index 2e51fecdb8d..f0523c5f204 100644
--- a/innobase/include/dict0dict.h
+++ b/innobase/include/dict0dict.h
@@ -32,20 +32,21 @@ Get the database name length in a table name. */
 ulint
 dict_get_db_name_len(
 /*=================*/
-			/* out: database name length */
-	char*	name);	/* in: table name in the form dbname '/' tablename */
+				/* out: database name length */
+	const char*	name);	/* in: table name in the form
+				dbname '/' tablename */
 /*************************************************************************
 Accepts a specified string. Comparisons are case-insensitive. */
 
-char*
+const char*
 dict_accept(
 /*========*/
-			/* out: if string was accepted, the pointer
-			is moved after that, else ptr is returned */
-	char*	ptr,	/* in: scan from this */
-	const char* string,/* in: accept only this string as the next
-			non-whitespace string */
-	ibool*	success);/* out: TRUE if accepted */
+				/* out: if string was accepted, the pointer
+				is moved after that, else ptr is returned */
+	const char*	ptr,	/* in: scan from this */
+	const char*	string,	/* in: accept only this string as the next
+				non-whitespace string */
+	ibool*		success);/* out: TRUE if accepted */
 /************************************************************************
 Decrements the count of open MySQL handles to a table. */
 
@@ -216,7 +217,7 @@ dict_foreign_parse_drop_constraints(
 	dict_table_t*	table,			/* in: table */
 	ulint*		n,			/* out: number of constraints
 						to drop */
-	char***		constraints_to_drop);	/* out: id's of the
+	const char***	constraints_to_drop);	/* out: id's of the
 						constraints to drop */
 /**************************************************************************
 Returns a table object and memoryfixes it. NOTE! This is a high-level
@@ -321,7 +322,7 @@ dict_table_print_by_name(
 /*=====================*/
 	char*	name);
 /**************************************************************************
-Sprintfs to a string info on foreign keys of a table. */
+Outputs info on foreign keys of a table. */
 
 void
 dict_print_info_on_foreign_keys(
diff --git a/innobase/include/lock0lock.h b/innobase/include/lock0lock.h
index 0fd1696b882..103d28cd130 100644
--- a/innobase/include/lock0lock.h
+++ b/innobase/include/lock0lock.h
@@ -526,12 +526,12 @@ extern lock_sys_t*	lock_sys;
 #define	LOCK_X		5	/* exclusive */
 #define	LOCK_AUTO_INC	6	/* locks the auto-inc counter of a table
 				in an exclusive mode */
-#define LOCK_MODE_MASK	0xF	/* mask used to extract mode from the
+#define LOCK_MODE_MASK	0xFUL	/* mask used to extract mode from the
 				type_mode field in a lock */
 /* Lock types */
 #define LOCK_TABLE	16	/* these type values should be so high that */
 #define	LOCK_REC	32	/* they can be ORed to the lock mode */
-#define LOCK_TYPE_MASK	0xF0	/* mask used to extract lock type from the
+#define LOCK_TYPE_MASK	0xF0UL	/* mask used to extract lock type from the
 				type_mode field in a lock */
 /* Waiting lock flag */
 #define LOCK_WAIT	256	/* this wait bit should be so high that
diff --git a/innobase/include/log0log.h b/innobase/include/log0log.h
index 9fba0c46407..3295bc2d231 100644
--- a/innobase/include/log0log.h
+++ b/innobase/include/log0log.h
@@ -366,7 +366,6 @@ Writes a buffer to a log file group. */
 void
 log_group_write_buf(
 /*================*/
-	ulint		type,		/* in: LOG_FLUSH or LOG_RECOVER */
 	log_group_t*	group,		/* in: log group */
 	byte*		buf,		/* in: buffer */
 	ulint		len,		/* in: buffer len; must be divisible
@@ -551,7 +550,7 @@ extern log_t*	log_sys;
 					highest bit is set to 1 if this is the
 					first log block in a log flush write
 					segment */
-#define LOG_BLOCK_FLUSH_BIT_MASK 0x80000000
+#define LOG_BLOCK_FLUSH_BIT_MASK 0x80000000UL
 					/* mask used to get the highest bit in
 					the preceding field */
 #define	LOG_BLOCK_HDR_DATA_LEN	4	/* number of bytes of log written to
diff --git a/innobase/include/mem0mem.h b/innobase/include/mem0mem.h
index 9ab3b2cd754..89e2a337c99 100644
--- a/innobase/include/mem0mem.h
+++ b/innobase/include/mem0mem.h
@@ -271,6 +271,59 @@ mem_realloc(
 	ulint   n,	/* in: desired number of bytes */
 	char*  	file_name,/* in: file name where called */
 	ulint 	line);  /* in: line where called */
+
+/**************************************************************************
+Duplicates a NUL-terminated string. */
+UNIV_INLINE
+char*
+mem_strdup(
+/*=======*/
+				/* out, own: a copy of the string,
+				must be deallocated with mem_free */
+	const char*	str);	/* in: string to be copied */
+/**************************************************************************
+Makes a NUL-terminated copy of a nonterminated string. */
+UNIV_INLINE
+char*
+mem_strdupl(
+/*========*/
+				/* out, own: a copy of the string,
+				must be deallocated with mem_free */
+	const char*	str,	/* in: string to be copied */
+	ulint		len);	/* in: length of str, in bytes */
+
+/**************************************************************************
+Makes a NUL-terminated quoted copy of a NUL-terminated string. */
+UNIV_INLINE
+char*
+mem_strdupq(
+/*========*/
+				/* out, own: a quoted copy of the string,
+				must be deallocated with mem_free */
+	const char*	str,	/* in: string to be copied */
+	char		q);	/* in: quote character */
+
+/**************************************************************************
+Duplicates a NUL-terminated string, allocated from a memory heap. */
+UNIV_INLINE
+char*
+mem_heap_strdup(
+/*============*/
+				/* out, own: a copy of the string */
+	mem_heap_t* heap,	/* in: memory heap where string is allocated */
+	const char* str);	/* in: string to be copied */
+/**************************************************************************
+Makes a NUL-terminated copy of a nonterminated string,
+allocated from a memory heap. */
+UNIV_INLINE
+char*
+mem_heap_strdupl(
+/*=============*/
+				/* out, own: a copy of the string */
+	mem_heap_t*	heap,	/* in: memory heap where string is allocated */
+	const char*	str,	/* in: string to be copied */
+	ulint		len);	/* in: length of str, in bytes */
+
 #ifdef MEM_PERIODIC_CHECK
 /**********************************************************************
 Goes through the list of all allocated mem blocks, checks their magic
diff --git a/innobase/include/mem0mem.ic b/innobase/include/mem0mem.ic
index fb4cef49ec9..c250e6948ec 100644
--- a/innobase/include/mem0mem.ic
+++ b/innobase/include/mem0mem.ic
@@ -579,3 +579,99 @@ mem_realloc(
 
 	return(mem_alloc_func(n, file_name, line));
 }
+
+/**************************************************************************
+Duplicates a NUL-terminated string. */
+UNIV_INLINE
+char*
+mem_strdup(
+/*=======*/
+				/* out, own: a copy of the string,
+				must be deallocated with mem_free */
+	const char*	str)	/* in: string to be copied */
+{
+	ulint	len = strlen(str) + 1;
+	return(memcpy(mem_alloc(len), str, len));
+}
+
+/**************************************************************************
+Makes a NUL-terminated copy of a nonterminated string. */
+UNIV_INLINE
+char*
+mem_strdupl(
+/*========*/
+				/* out, own: a copy of the string,
+				must be deallocated with mem_free */
+	const char*	str,	/* in: string to be copied */
+	ulint		len)	/* in: length of str, in bytes */
+{
+	char*	s = mem_alloc(len + 1);
+	s[len] = 0;
+	return(memcpy(s, str, len));
+}
+
+/**************************************************************************
+Makes a NUL-terminated quoted copy of a NUL-terminated string. */
+UNIV_INLINE
+char*
+mem_strdupq(
+/*========*/
+				/* out, own: a quoted copy of the string,
+				must be deallocated with mem_free */
+	const char*	str,	/* in: string to be copied */
+	char		q)	/* in: quote character */
+{
+	char*		dst;
+	char*		d;
+	const char*	s	= str;
+	int		len	= strlen(str) + 3;
+	/* calculate the number of quote characters in the string */
+	while((s = strchr(s, q)) != NULL) {
+		s++;
+		len++;
+	}
+	/* allocate the quoted string, and copy it */
+	d = dst = mem_alloc(len);
+	*d++ = q;
+	s = str;
+	while(*s) {
+		if ((*d++ = *s++) == q) {
+			*d++ = q;
+		}
+	}
+	*d++ = q;
+	*d++ = '\0';
+	ut_ad(len == d - dst);
+	return(dst);
+}
+
+/**************************************************************************
+Duplicates a NUL-terminated string, allocated from a memory heap. */
+UNIV_INLINE
+char*
+mem_heap_strdup(
+/*============*/
+				/* out, own: a copy of the string */
+	mem_heap_t* heap,	/* in: memory heap where string is allocated */
+	const char* str)	/* in: string to be copied */
+{
+	ulint	len = strlen(str) + 1;
+	return(memcpy(mem_heap_alloc(heap, len), str, len));
+}
+
+/**************************************************************************
+Makes a NUL-terminated copy of a nonterminated string,
+allocated from a memory heap. */
+UNIV_INLINE
+char*
+mem_heap_strdupl(
+/*=============*/
+				/* out, own: a copy of the string */
+	mem_heap_t*	heap,	/* in: memory heap where string is allocated */
+	const char*	str,	/* in: string to be copied */
+	ulint		len)	/* in: length of str, in bytes */
+{
+	char*	s = mem_heap_alloc(heap, len + 1);
+	s[len] = 0;
+	return(memcpy(s, str, len));
+}
diff --git a/innobase/include/row0uins.h b/innobase/include/row0uins.h
index df5e072487e..fc57881f691 100644
--- a/innobase/include/row0uins.h
+++ b/innobase/include/row0uins.h
@@ -26,8 +26,7 @@ ulint
 row_undo_ins(
 /*=========*/
 				/* out: DB_SUCCESS */
-	undo_node_t*	node,	/* in: row undo node */
-	que_thr_t*	thr);	/* in: query thread */
+	undo_node_t*	node);	/* in: row undo node */
 
 
 #ifndef UNIV_NONINL
diff --git a/innobase/include/row0undo.h b/innobase/include/row0undo.h
index 5402f1d9236..d64a00dcb8f 100644
--- a/innobase/include/row0undo.h
+++ b/innobase/include/row0undo.h
@@ -41,8 +41,7 @@ row_undo_search_clust_to_pcur(
 				/* out: TRUE if found; NOTE the node->pcur
 				must be closed by the caller, regardless of
 				the return value */
-	undo_node_t*	node,	/* in: row undo node */
-	que_thr_t*	thr);	/* in: query thread */
+	undo_node_t*	node);	/* in: row undo node */
 /***************************************************************
 Undoes a row operation in a table. This is a high-level function used
 in SQL execution graphs. */
diff --git a/innobase/include/ut0byte.h b/innobase/include/ut0byte.h
index 4fb45221899..dd13b19b864 100644
--- a/innobase/include/ut0byte.h
+++ b/innobase/include/ut0byte.h
@@ -235,21 +235,19 @@ Copies a string to a memory location, setting characters to lower case. */
 void
 ut_cpy_in_lower_case(
 /*=================*/
-        char*   dest,    /* in: destination */
-	char*   source,  /* in: source */
-        ulint   len);     /* in: string length */
+	char*		dest,	/* in: destination */
+	const char*	source,	/* in: source */
+	ulint		len);	/* in: string length */
 /****************************************************************
 Compares two strings when converted to lower case. */
 
 int
 ut_cmp_in_lower_case(
 /*=================*/
-		        /* out: -1, 0, 1 if str1 < str2, str1 == str2,
-			str1 > str2, respectively */
-       char*   str1,    /* in: string1 */
-       char*   str2,    /* in: string2 */
-       ulint   len);     /* in: length of both strings */
-
+				/* out: -1, 0, 1 if str1 < str2, str1 == str2,
+				str1 > str2, respectively */
+	const char*	str1,	/* in: string1 */
+	const char*	str2);	/* in: string2 */
 
 #ifndef UNIV_NONINL
 #include "ut0byte.ic"
diff --git a/innobase/include/ut0mem.h b/innobase/include/ut0mem.h
index 13ee8d5f5fa..bfda5ded40c 100644
--- a/innobase/include/ut0mem.h
+++ b/innobase/include/ut0mem.h
@@ -76,6 +76,39 @@ int
 ut_strcmp(void* str1, void* str2);
 
 /**************************************************************************
+Determine the length of a string when it is quoted with ut_strcpyq(). */
+UNIV_INLINE
+ulint
+ut_strlenq(
+/*=======*/
+				/* out: length of the string when quoted */
+	const char*	str,	/* in: null-terminated string */
+	char		q);	/* in: the quote character */
+
+/**************************************************************************
+Make a quoted copy of a string. */
+
+char*
+ut_strcpyq(
+/*=======*/
+				/* out: pointer to end of dest */
+	char*		dest,	/* in: output buffer */
+	char		q,	/* in: the quote character */
+	const char*	src);	/* in: null-terminated string */
+
+/**************************************************************************
+Make a quoted copy of a fixed-length string. */
+
+char*
+ut_memcpyq(
+/*=======*/
+				/* out: pointer to end of dest */
+	char*		dest,	/* in: output buffer */
+	char		q,	/* in: the quote character */
+	const char*	src,	/* in: string to be quoted */
+	ulint		len);	/* in: length of src */
+
+/**************************************************************************
 Catenates two strings into newly allocated memory. The memory must be freed
 using mem_free. */
 
diff --git a/innobase/include/ut0mem.ic b/innobase/include/ut0mem.ic
index 1049aee8ecc..951d9538424 100644
--- a/innobase/include/ut0mem.ic
+++ b/innobase/include/ut0mem.ic
@@ -48,3 +48,23 @@ ut_strcmp(void* str1, void* str2)
 	return(strcmp((char*)str1, (char*)str2));
 }
 
+/**************************************************************************
+Determine the length of a string when it is quoted with ut_strcpyq(). */
+UNIV_INLINE
+ulint
+ut_strlenq(
+/*=======*/
+				/* out: length of the string when quoted */
+	const char*	str,	/* in: null-terminated string */
+	char		q)	/* in: the quote character */
+{
+	ulint len;
+
+	for (len = 0; *str; len++, str++) {
+		if (*str == q) {
+			len++;
+		}
+	}
+
+	return(len);
+}
diff --git a/innobase/include/ut0ut.h b/innobase/include/ut0ut.h
index 8ec23b23dcd..637c9a68174 100644
--- a/innobase/include/ut0ut.h
+++ b/innobase/include/ut0ut.h
@@ -28,7 +28,9 @@ ut_sprintf(
 /*=======*/
         char*       buf,     /* in/out: buffer where to print */
         const char* format,  /* in: format of prints */
-        ...);                /* in: arguments to be printed */
+			...)	/* in: arguments to be printed */
+	__attribute__((__format__ (__printf__, 2, 3)));
+
 /************************************************************
 Gets the high 32 bits in a ulint. That is makes a shift >> 32,
 but since there seem to be compiler bugs in both gcc and Visual C++,