diff options
| author | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-02-09 16:17:58 -0200 |
|---|---|---|
| committer | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-02-09 16:17:58 -0200 |
| commit | bab4ff1ae52762e5eeb828d89cc7cd3b6e94f3aa (patch) | |
| tree | 3a8004c645037bae538dd8c5d994c150adbba3c9 /sql/sql_class.cc | |
| parent | 461cad77b4e068ecc2534150170a029e6f425407 (diff) | |
| download | mariadb-git-bab4ff1ae52762e5eeb828d89cc7cd3b6e94f3aa.tar.gz | |
Bug#42634: % character in query can cause mysqld signal 11 segfault
The problem is that a unfiltered user query was being passed as
the format string parameter of sql_print_warning which later
performs printf-like formatting, leading to crashes if the user
query contains formatting instructions (ie: %s). Also, it was
using THD::query as the source of the user query, but this
variable is not meaningful in some situations -- in a delayed
insert, it points to the table name.
The solution is to pass the user query as a parameter for the
format string and use the function parameter query_arg as the
source of the user query.
mysql-test/suite/binlog/r/binlog_unsafe.result:
Add test case result for Bug#42634
mysql-test/suite/binlog/t/binlog_unsafe.test:
Add test case for Bug#42634
sql/sql_class.cc:
Don't pass the user query as a format string.
Diffstat (limited to 'sql/sql_class.cc')
| -rw-r--r-- | sql/sql_class.cc | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 06f1c644be0..118dc5af68f 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -3660,16 +3660,14 @@ int THD::binlog_query(THD::enum_binlog_query_type qtype, char const *query_arg, if (lex->is_stmt_unsafe() && variables.binlog_format == BINLOG_FORMAT_STMT) { - DBUG_ASSERT(this->query != NULL); push_warning(this, MYSQL_ERROR::WARN_LEVEL_WARN, ER_BINLOG_UNSAFE_STATEMENT, ER(ER_BINLOG_UNSAFE_STATEMENT)); if (!(binlog_flags & BINLOG_FLAG_UNSAFE_STMT_PRINTED)) { - char warn_buf[MYSQL_ERRMSG_SIZE]; - my_snprintf(warn_buf, MYSQL_ERRMSG_SIZE, "%s Statement: %s", - ER(ER_BINLOG_UNSAFE_STATEMENT), this->query); - sql_print_warning(warn_buf); + sql_print_warning("%s Statement: %.*s", + ER(ER_BINLOG_UNSAFE_STATEMENT), + MYSQL_ERRMSG_SIZE, query_arg); binlog_flags|= BINLOG_FLAG_UNSAFE_STMT_PRINTED; } } |