Fixed stack overrun with some INSERT ... SELECT ... GROUP BY queries (Bug #3265)

Ensure that raid_chunks is not set to higher than 255 as this could cause problems with DROP DATABASE. (Bug #3182)


mysql-test/r/raid.result:
  Test of raid_chunks > 255
mysql-test/t/raid.test:
  Test of raid_chunks > 255
sql/item.cc:
  Fixed wrong usage of str_value in Item::save_in_field
  This could caused a stack overrun with some very special INSERT ... SELECT ... GROUP BY queries where the GROUP BY value was an expression that generated a NULL value. (Bug #3265)
  The Item_copy_string::save_in_field() function is from 4.1 and helps optimized this case a bit
sql/item.h:
  Fixed wrong usage of str_value in Item_copy_string::save_in_field
sql/sql_insert.cc:
  More debug information
sql/table.cc:
  Ensure that raid_chunks is not set to higher than 255 as this could cause problems with DROP DATABASE.
  Another problem with values > 255 is that in the .frm file we store the chunks value in one byte.
  (Bug #3182)

1 files changed, 12 insertions, 0 deletions

diff --git a/sql/item.cc b/sql/item.cc
index fcc9372773a..739b5385b55 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -322,6 +322,15 @@ String *Item_copy_string::val_str(String *str)
   return &str_value;
 }
 
+bool Item_copy_string::save_in_field(Field *field, bool no_conversions)
+{
+  if (null_value)
+    return set_field_to_null(field);
+  field->set_notnull();
+  field->store(str_value.ptr(), str_value.length());
+  return 0;
+}
+
 /*
 ** Functions to convert item to field (for send_fields)
 */
@@ -520,7 +529,10 @@ bool Item::save_in_field(Field *field, bool no_conversions)
     str_value.set_quick(buff,sizeof(buff));
     result=val_str(&str_value);
     if (null_value)
+    {
+      str_value.set_quick(0, 0);
       return set_field_to_null_with_conversions(field, no_conversions);
+    }
     field->set_notnull();
     field->store(result->ptr(),result->length());
     str_value.set_quick(0, 0);