summaryrefslogtreecommitdiff
path: root/sql
diff options
context:
space:
mode:
authorNisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com>2013-01-12 11:13:37 +0530
committerNisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com>2013-01-12 11:13:37 +0530
commitc4afaa42423d664477ca5df6cb45f49860381bfc (patch)
treea5d55ed844d1f9fd1c08f0e0cd4a6834b5eab058 /sql
parent21bdf213807e467e7638d0504e900070bb1689f5 (diff)
downloadmariadb-git-c4afaa42423d664477ca5df6cb45f49860381bfc.tar.gz
BUG#11757250: REPLACE(...) INSIDE A STORED PROCEDURE.
Analysis: -------- REPLACE operation provides incorrect output when user variable is supplied as an argument and there are multiple rows on which the operation is performed. Consider the example below: SET @var='(( 00000000 ++ 00000000 ))'; SELECT REPLACE(@var, '00000000', table_name) AS a FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='mysql'; Invalid output: +---------------------------------------+ | REPLACE(@var, '00000000', TABLE_NAME) | +---------------------------------------+ | (( columns_priv ++ columns_priv )) | | (( columns_priv ++ columns_priv )) | ...... ...... | (( columns_priv ++ columns_priv )) | | (( columns_priv ++ columns_priv )) | | (( columns_priv ++ columns_priv )) | +---------------------------------------+ The user argument supplied as the string to REPLACE operation is overwritten after the first iteration to '(( columns_priv ++ columns_priv ))'. The overwritten string after the first iteration is used for the subsequent REPLACE iteration. Since the pattern string is not found, it returns invalid output as mentioned above. Fix: --- If the Alloced_length is zero, realloc() and create a copy of the string which is then used for the REPLACE operation for every iteration.
Diffstat (limited to 'sql')
-rw-r--r--sql/sql_string.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/sql/sql_string.cc b/sql/sql_string.cc
index 4dbc2d77206..10bd3511cd2 100644
--- a/sql/sql_string.cc
+++ b/sql/sql_string.cc
@@ -796,7 +796,7 @@ String *copy_if_not_alloced(String *to,String *from,uint32 from_length)
{
if (from->Alloced_length >= from_length)
return from;
- if (from->alloced || !to || from == to)
+ if ((from->alloced && (from->Alloced_length != 0)) || !to || from == to)
{
(void) from->realloc(from_length);
return from;