[Pkg-mysql-commits] r1917 - in mysql-dfsg-5.1/branches/unstable/debian: . patches
Norbert Tretkowski
nobse at alioth.debian.org
Tue Nov 30 08:19:59 UTC 2010
tags 599937 pending
thanks
Author: nobse
Date: 2010-11-30 08:19:54 +0000 (Tue, 30 Nov 2010)
New Revision: 1917
Added:
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3833.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3834.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3835.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3836.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3837.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3838.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3839.dpatch
mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3840.dpatch
Removed:
mysql-dfsg-5.1/branches/unstable/debian/patches/60_CVE-2010-3833-to-CVE-2010-3840.dpatch
Modified:
mysql-dfsg-5.1/branches/unstable/debian/changelog
mysql-dfsg-5.1/branches/unstable/debian/patches/00list
Log:
Forgot to check-in changes...
Modified: mysql-dfsg-5.1/branches/unstable/debian/changelog
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/changelog 2010-11-07 12:18:14 UTC (rev 1916)
+++ mysql-dfsg-5.1/branches/unstable/debian/changelog 2010-11-30 08:19:54 UTC (rev 1917)
@@ -1,11 +1,50 @@
-mysql-5.1 (5.1.49-3) UNRELEASED; urgency=low
+mysql-5.1 (5.1.49-3) unstable; urgency=high
- * SECURITY:
- Fix for CVE-2010-
- (closes: #498362)
+ * SECURITY UPDATE: denial of service via incorrect propagation of type
+ errors.
+ - debian/patches/61_CVE-2010-3833.dpatch: properly check for execution
+ errors in sql/item_func.cc. Add tests to mysql-test/*.
+ - CVE-2010-3833
+ * SECURITY UPDATE: denial of service via derived table materializing.
+ - debian/patches/61_CVE-2010-3834.dpatch: handle temporary tables in
+ sql/field.cc, sql/sql_select.*. Add tests to mysql-test/*.
+ - CVE-2010-3834
+ * SECURITY UPDATE: denial of service via user-variable assignment
+ expression.
+ - debian/patches/61_CVE-2010-3835.dpatch: fix logic in sql/item_func.*,
+ Add tests to mysql-test/*.
+ - CVE-2010-3835
+ * SECURITY UPDATE: denial of service via pre-evaluation of LIKE
+ predicates during view preparation.
+ - debian/patches/61_CVE-2010-3836.dpatch: make sure we're not in view
+ preparation mode in sql/item_cmpfunc.cc. Add tests to mysql-test/*.
+ - CVE-2010-3836
+ * SECURITY UPDATE: denial of service via use of GROUP_CONCAT() and
+ WITH ROLLUP together.
+ - debian/patches/61_CVE-2010-3837.dpatch: create a copy of the order
+ structures in sql/item_sum.cc, sql/table.h. Add tests to
+ mysql-test/*.
+ - CVE-2010-3837
+ * SECURITY UPDATE: denial of service via longblob and union or update
+ with subquery.
+ - debian/patches/61_CVE-2010-3838.dpatch: handle REAL_RESULT in
+ sql/item_func.cc. Add tests to mysql-test/*.
+ - CVE-2010-3838
+ * SECURITY UPDATE: denial of service via certain queries with nested
+ joins.
+ - debian/patches/61_CVE-2010-3839.dpatch: fix nesting in
+ sql/sql_select.cc. Add tests to mysql-test/*.
+ - CVE-2010-3839
+ * SECURITY UPDATE: denial of service via PolyFromWKB() function and
+ improper data.
+ - debian/patches/61_CVE-2010-3840.dpatch: improve data handling in
+ sql/spatial.cc. Add tests to mysql-test/*.
+ - CVE-2010-3840
- -- Norbert Tretkowski <norbert at tretkowski.de> Sun, 07 Nov 2010 13:15:30 +0100
+ * Patches and changelog entries taken from Ubuntu. (closes: #599937)
+ -- Norbert Tretkowski <norbert at tretkowski.de> Thu, 25 Nov 2010 23:15:32 +0100
+
mysql-5.1 (5.1.49-2) unstable; urgency=low
* Check for server binary before executing any script. (closes: #583611)
Modified: mysql-dfsg-5.1/branches/unstable/debian/patches/00list
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/00list 2010-11-07 12:18:14 UTC (rev 1916)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/00list 2010-11-30 08:19:54 UTC (rev 1917)
@@ -8,4 +8,11 @@
44_scripts__mysql_config__libs.dpatch
50_mysql-test__db_test.dpatch
99_fix_testsuite_for_installed_env.dpatch
-60_CVE-2010-3833-to-CVE-2010-3840.dpatch
+61_CVE-2010-3833.dpatch
+61_CVE-2010-3834.dpatch
+61_CVE-2010-3835.dpatch
+61_CVE-2010-3836.dpatch
+61_CVE-2010-3837.dpatch
+61_CVE-2010-3838.dpatch
+61_CVE-2010-3839.dpatch
+61_CVE-2010-3840.dpatch
Deleted: mysql-dfsg-5.1/branches/unstable/debian/patches/60_CVE-2010-3833-to-CVE-2010-3840.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/60_CVE-2010-3833-to-CVE-2010-3840.dpatch 2010-11-07 12:18:14 UTC (rev 1916)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/60_CVE-2010-3833-to-CVE-2010-3840.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -1,573 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 60_CVE-2010-3833-to-CVE-2010-3840.dpatch by Moritz Muehlenhoff <jmm at inutil.org>
-
- at DPATCH@
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/func_gconcat.result mysql-5.1-5.1.49/mysql-test/r/func_gconcat.result
---- mysql-5.1-5.1.49.orig//mysql-test/r/func_gconcat.result 2010-07-09 15:02:55.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/r/func_gconcat.result 2010-10-29 21:52:45.000000000 +0200
-@@ -995,6 +995,7 @@
- 1
- 1
- DROP TABLE t1;
-+End of 5.0 tests
- #
- # Bug #52397: another crash with explain extended and group_concat
- #
-@@ -1010,4 +1011,22 @@
- Warnings:
- Note 1003 select 1 AS `1` from (select group_concat(`test`.`t1`.`a` order by `test`.`t1`.`a` ASC separator ',') AS `GROUP_CONCAT(t1.a ORDER BY t1.a ASC)` from `test`.`t1` `t2` join `test`.`t1` group by `test`.`t1`.`a`) `d`
- DROP TABLE t1;
--End of 5.0 tests
-+#
-+# Bug #54476: crash when group_concat and 'with rollup' in prepared statements
-+#
-+CREATE TABLE t1 (a INT);
-+INSERT INTO t1 VALUES (1), (2);
-+PREPARE stmt FROM "SELECT GROUP_CONCAT(t1.a ORDER BY t1.a) FROM t1 JOIN t1 t2 GROUP BY t1.a WITH ROLLUP";
-+EXECUTE stmt;
-+GROUP_CONCAT(t1.a ORDER BY t1.a)
-+1,1
-+2,2
-+1,1,2,2
-+EXECUTE stmt;
-+GROUP_CONCAT(t1.a ORDER BY t1.a)
-+1,1
-+2,2
-+1,1,2,2
-+DEALLOCATE PREPARE stmt;
-+DROP TABLE t1;
-+End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/func_misc.result mysql-5.1-5.1.49/mysql-test/r/func_misc.result
---- mysql-5.1-5.1.49.orig//mysql-test/r/func_misc.result 2010-07-09 15:02:55.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/r/func_misc.result 2010-10-29 21:52:47.000000000 +0200
-@@ -336,4 +336,19 @@
- select connection_id() > 0;
- connection_id() > 0
- 1
-+#
-+# Bug #54461: crash with longblob and union or update with subquery
-+#
-+CREATE TABLE t1 (a INT, b LONGBLOB);
-+INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2');
-+SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
-+LEAST(a, (SELECT b FROM t1 LIMIT 1))
-+1
-+2
-+SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
-+GREATEST(a, (SELECT b FROM t1 LIMIT 1))
-+2
-+3
-+1
-+DROP TABLE t1;
- End of tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/join.result mysql-5.1-5.1.49/mysql-test/r/join.result
---- mysql-5.1-5.1.49.orig//mysql-test/r/join.result 2010-07-09 15:03:00.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/r/join.result 2010-10-29 21:52:39.000000000 +0200
-@@ -1184,4 +1184,55 @@
- NULL
- 1
- DROP TABLE t1, t2, mm1;
-+#
-+# Bug #55568: user variable assignments crash server when used within
-+# query
-+#
-+CREATE TABLE t1 (a INT);
-+INSERT INTO t1 VALUES (0), (1);
-+SELECT MULTIPOINT(
-+1,
-+(
-+SELECT MULTIPOINT(
-+MULTIPOINT(
-+1,
-+(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d)
-+)
-+) FROM t1
-+)
-+) != COUNT(*) q FROM t1 GROUP BY a;
-+q
-+NULL
-+NULL
-+SELECT MULTIPOINT(
-+1,
-+(
-+SELECT MULTIPOINT(
-+MULTIPOINT(
-+1,
-+(SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d)
-+)
-+) FROM t1
-+)
-+) != COUNT(*) q FROM t1 GROUP BY a;
-+q
-+NULL
-+NULL
-+DROP TABLE t1;
-+#
-+# Bug #54468: crash after item's print() function when ordering/grouping
-+# by subquery
-+#
-+CREATE TABLE t1(a INT, b INT);
-+INSERT INTO t1 VALUES (), ();
-+SELECT 1 FROM t1
-+GROUP BY
-+GREATEST(t1.a,
-+(SELECT 1 FROM
-+(SELECT t1.b FROM t1,t1 t2
-+ORDER BY t1.a, t1.a LIMIT 1) AS d)
-+);
-+1
-+1
-+DROP TABLE t1;
- End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/r/user_var.result mysql-5.1-5.1.49/mysql-test/r/user_var.result
---- mysql-5.1-5.1.49.orig//mysql-test/r/user_var.result 2010-07-09 15:03:13.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/r/user_var.result 2010-10-29 21:52:42.000000000 +0200
-@@ -430,4 +430,21 @@
- INSERT INTO t1 VALUES (1);
- INSERT INTO t1 VALUES (1);
- DROP TABLE t1;
-+CREATE TABLE t1(a INT);
-+INSERT INTO t1 VALUES (0),(0);
-+# BUG#55615 : should not crash
-+SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a;
-+(@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1)
-+1
-+1
-+# BUG#55564 : should not crash
-+SELECT IF(
-+ at v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a),
-+count(*), 1)
-+FROM t1 GROUP BY a LIMIT 1;
-+IF(
-+ at v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a),
-+count(*), 1)
-+1
-+DROP TABLE t1;
- End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/suite/innodb/r/innodb_mysql.result mysql-5.1-5.1.49/mysql-test/suite/innodb/r/innodb_mysql.result
---- mysql-5.1-5.1.49.orig//mysql-test/suite/innodb/r/innodb_mysql.result 2010-07-09 15:05:40.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/suite/innodb/r/innodb_mysql.result 2010-10-29 21:52:36.000000000 +0200
-@@ -2499,4 +2499,17 @@
- id select_type table type possible_keys key key_len ref rows Extra
- 1 SIMPLE t1 range f2,f4 f4 1 NULL 11 Using where
- DROP TABLE t1;
-+#
-+# Bug#55826: create table .. select crashes with when KILL_BAD_DATA
-+# is returned
-+#
-+CREATE TABLE t1(a INT) ENGINE=innodb;
-+INSERT INTO t1 VALUES (0);
-+SET SQL_MODE='STRICT_ALL_TABLES';
-+CREATE TABLE t2
-+SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`;
-+ERROR 22007: Incorrect datetime value: '' for column 'NOW()' at row 1
-+DROP TABLE t1,t2;
-+ERROR 42S02: Unknown table 't2'
-+SET SQL_MODE=DEFAULT;
- End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/suite/innodb/t/innodb_mysql.test mysql-5.1-5.1.49/mysql-test/suite/innodb/t/innodb_mysql.test
---- mysql-5.1-5.1.49.orig//mysql-test/suite/innodb/t/innodb_mysql.test 2010-07-09 15:05:37.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/suite/innodb/t/innodb_mysql.test 2010-10-29 21:52:36.000000000 +0200
-@@ -737,4 +737,19 @@
-
- DROP TABLE t1;
-
-+--echo #
-+--echo # Bug#55826: create table .. select crashes with when KILL_BAD_DATA
-+--echo # is returned
-+--echo #
-+
-+CREATE TABLE t1(a INT) ENGINE=innodb;
-+INSERT INTO t1 VALUES (0);
-+SET SQL_MODE='STRICT_ALL_TABLES';
-+--error ER_TRUNCATED_WRONG_VALUE
-+CREATE TABLE t2
-+ SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`;
-+DROP TABLE t1,t2;
-+SET SQL_MODE=DEFAULT;
-+
-+
- --echo End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/t/func_gconcat.test mysql-5.1-5.1.49/mysql-test/t/func_gconcat.test
---- mysql-5.1-5.1.49.orig//mysql-test/t/func_gconcat.test 2010-07-09 15:02:26.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/t/func_gconcat.test 2010-10-29 21:52:45.000000000 +0200
-@@ -708,6 +708,7 @@
-
- DROP TABLE t1;
-
-+--echo End of 5.0 tests
-
- --echo #
- --echo # Bug #52397: another crash with explain extended and group_concat
-@@ -719,5 +720,18 @@
- t1 t2, t1 GROUP BY t1.a) AS d;
- DROP TABLE t1;
-
-+--echo #
-+--echo # Bug #54476: crash when group_concat and 'with rollup' in prepared statements
-+--echo #
-
----echo End of 5.0 tests
-+CREATE TABLE t1 (a INT);
-+INSERT INTO t1 VALUES (1), (2);
-+
-+PREPARE stmt FROM "SELECT GROUP_CONCAT(t1.a ORDER BY t1.a) FROM t1 JOIN t1 t2 GROUP BY t1.a WITH ROLLUP";
-+EXECUTE stmt;
-+EXECUTE stmt;
-+
-+DEALLOCATE PREPARE stmt;
-+DROP TABLE t1;
-+
-+--echo End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/t/func_misc.test mysql-5.1-5.1.49/mysql-test/t/func_misc.test
---- mysql-5.1-5.1.49.orig//mysql-test/t/func_misc.test 2010-07-09 15:02:27.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/t/func_misc.test 2010-10-29 21:52:47.000000000 +0200
-@@ -467,4 +467,16 @@
-
- select connection_id() > 0;
-
-+--echo #
-+--echo # Bug #54461: crash with longblob and union or update with subquery
-+--echo #
-+
-+CREATE TABLE t1 (a INT, b LONGBLOB);
-+INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2');
-+
-+SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
-+SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
-+
-+DROP TABLE t1;
-+
- --echo End of tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/t/join.test mysql-5.1-5.1.49/mysql-test/t/join.test
---- mysql-5.1-5.1.49.orig//mysql-test/t/join.test 2010-07-09 15:02:30.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/t/join.test 2010-10-29 21:52:50.000000000 +0200
-@@ -851,4 +851,70 @@
- SELECT t1.a FROM mm1,t1;
- DROP TABLE t1, t2, mm1;
-
-+--echo #
-+--echo # Bug #55568: user variable assignments crash server when used within
-+--echo # query
-+--echo #
-+
-+CREATE TABLE t1 (a INT);
-+
-+INSERT INTO t1 VALUES (0), (1);
-+
-+let $i=2;
-+while ($i)
-+{
-+ SELECT MULTIPOINT(
-+ 1,
-+ (
-+ SELECT MULTIPOINT(
-+ MULTIPOINT(
-+ 1,
-+ (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d)
-+ )
-+ ) FROM t1
-+ )
-+ ) != COUNT(*) q FROM t1 GROUP BY a;
-+ dec $i;
-+}
-+
-+DROP TABLE t1;
-+
-+--echo #
-+--echo # Bug #54468: crash after item's print() function when ordering/grouping
-+--echo # by subquery
-+--echo #
-+
-+CREATE TABLE t1(a INT, b INT);
-+INSERT INTO t1 VALUES (), ();
-+
-+SELECT 1 FROM t1
-+GROUP BY
-+GREATEST(t1.a,
-+ (SELECT 1 FROM
-+ (SELECT t1.b FROM t1,t1 t2
-+ ORDER BY t1.a, t1.a LIMIT 1) AS d)
-+ );
-+
-+DROP TABLE t1;
-+
-+--echo #
-+--echo # Bug #53544: Server hangs during JOIN query in stored procedure called
-+--echo # twice in a row
-+--echo #
-+
-+CREATE TABLE t1(c INT);
-+
-+INSERT INTO t1 VALUES (1), (2);
-+
-+PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN
-+ t1 t2 ON t1.c=t2.c RIGHT JOIN
-+ t1 t3 ON t1.c=t3.c
-+ GROUP BY f1;";
-+
-+EXECUTE stmt;
-+EXECUTE stmt;
-+
-+DEALLOCATE PREPARE stmt;
-+DROP TABLE t1;
-+
- --echo End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//mysql-test/t/user_var.test mysql-5.1-5.1.49/mysql-test/t/user_var.test
---- mysql-5.1-5.1.49.orig//mysql-test/t/user_var.test 2010-07-09 15:02:46.000000000 +0200
-+++ mysql-5.1-5.1.49/mysql-test/t/user_var.test 2010-10-29 21:52:42.000000000 +0200
-@@ -328,4 +328,22 @@
- INSERT INTO t1 VALUES (1);
- DROP TABLE t1;
-
-+#
-+# Bug #55615: debug assertion after using variable in assignment and
-+# referred to
-+# Bug #55564: crash with user variables, assignments, joins...
-+#
-+
-+CREATE TABLE t1(a INT);
-+INSERT INTO t1 VALUES (0),(0);
-+--echo # BUG#55615 : should not crash
-+SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a;
-+--echo # BUG#55564 : should not crash
-+SELECT IF(
-+ @v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a),
-+ count(*), 1)
-+FROM t1 GROUP BY a LIMIT 1;
-+
-+DROP TABLE t1;
-+
- --echo End of 5.1 tests
-diff -Naur mysql-5.1-5.1.49.orig//sql/field.cc mysql-5.1-5.1.49/sql/field.cc
---- mysql-5.1-5.1.49.orig//sql/field.cc 2010-07-09 14:34:53.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/field.cc 2010-10-29 21:52:40.000000000 +0200
-@@ -1535,7 +1535,7 @@
- }
- else
- field->org_table_name= field->db_name= "";
-- if (orig_table)
-+ if (orig_table && orig_table->alias)
- {
- field->table_name= orig_table->alias;
- field->org_col_name= field_name;
-diff -Naur mysql-5.1-5.1.49.orig//sql/item_cmpfunc.cc mysql-5.1-5.1.49/sql/item_cmpfunc.cc
---- mysql-5.1-5.1.49.orig//sql/item_cmpfunc.cc 2010-07-09 14:34:57.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/item_cmpfunc.cc 2010-10-29 21:50:27.000000000 +0200
-@@ -4662,7 +4662,8 @@
- recompute the tables for each row it's not worth it.
- */
- if (args[1]->const_item() && !use_strnxfrm(collation.collation) &&
-- !(specialflag & SPECIAL_NO_NEW_FUNC))
-+ !(specialflag & SPECIAL_NO_NEW_FUNC) &&
-+ !thd->lex->view_prepare_mode)
- {
- String* res2 = args[1]->val_str(&cmp.value2);
- if (!res2)
-diff -Naur mysql-5.1-5.1.49.orig//sql/item_func.cc mysql-5.1-5.1.49/sql/item_func.cc
---- mysql-5.1-5.1.49.orig//sql/item_func.cc 2010-07-09 14:34:56.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/item_func.cc 2010-10-29 21:52:47.000000000 +0200
-@@ -2243,6 +2243,8 @@
- max_length= my_decimal_precision_to_length_no_truncation(max_int_part +
- decimals, decimals,
- unsigned_flag);
-+ else if (cmp_type == REAL_RESULT)
-+ max_length= float_length(decimals);
- cached_field_type= agg_field_type(args, arg_count);
- }
-
-@@ -2261,7 +2263,7 @@
- stored to the value pointer, if latter is provided.
-
- RETURN
-- 0 If one of arguments is NULL
-+ 0 If one of arguments is NULL or there was a execution error
- # index of the least/greatest argument
- */
-
-@@ -2275,6 +2277,14 @@
- Item **arg= args + i;
- bool is_null;
- longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null);
-+
-+ /* Check if we need to stop (because of error or KILL) and stop the loop */
-+ if (thd->is_error())
-+ {
-+ null_value= 1;
-+ return 0;
-+ }
-+
- if ((null_value= args[i]->null_value))
- return 0;
- if (i == 0 || (res < min_max ? cmp_sign : -cmp_sign) > 0)
-@@ -2303,6 +2313,12 @@
- if (null_value)
- return 0;
- str_res= args[min_max_idx]->val_str(str);
-+ if (args[min_max_idx]->null_value)
-+ {
-+ // check if the call to val_str() above returns a NULL value
-+ null_value= 1;
-+ return NULL;
-+ }
- str_res->set_charset(collation.collation);
- return str_res;
- }
-@@ -4261,6 +4277,14 @@
- return entry->val_int(&null_value);
- }
-
-+bool Item_func_set_user_var::val_bool_result()
-+{
-+ DBUG_ASSERT(fixed == 1);
-+ check(TRUE);
-+ update(); // Store expression
-+ return entry->val_int(&null_value) != 0;
-+}
-+
- String *Item_func_set_user_var::str_result(String *str)
- {
- DBUG_ASSERT(fixed == 1);
-diff -Naur mysql-5.1-5.1.49.orig//sql/item_func.h mysql-5.1-5.1.49/sql/item_func.h
---- mysql-5.1-5.1.49.orig//sql/item_func.h 2010-07-09 14:35:10.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/item_func.h 2010-10-29 21:52:42.000000000 +0200
-@@ -1353,6 +1353,7 @@
- my_decimal *val_decimal(my_decimal *);
- double val_result();
- longlong val_int_result();
-+ bool val_bool_result();
- String *str_result(String *str);
- my_decimal *val_decimal_result(my_decimal *);
- bool is_null_result();
-diff -Naur mysql-5.1-5.1.49.orig//sql/item_sum.cc mysql-5.1-5.1.49/sql/item_sum.cc
---- mysql-5.1-5.1.49.orig//sql/item_sum.cc 2010-07-09 14:34:53.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/item_sum.cc 2010-10-29 21:52:45.000000000 +0200
-@@ -3034,7 +3034,6 @@
- tree(item->tree),
- unique_filter(item->unique_filter),
- table(item->table),
-- order(item->order),
- context(item->context),
- arg_count_order(item->arg_count_order),
- arg_count_field(item->arg_count_field),
-@@ -3047,6 +3046,24 @@
- {
- quick_group= item->quick_group;
- result.set_charset(collation.collation);
-+
-+ /*
-+ Since the ORDER structures pointed to by the elements of the 'order' array
-+ may be modified in find_order_in_list() called from
-+ Item_func_group_concat::setup(), create a copy of those structures so that
-+ such modifications done in this object would not have any effect on the
-+ object being copied.
-+ */
-+ ORDER *tmp;
-+ if (!(order= (ORDER **) thd->alloc(sizeof(ORDER *) * arg_count_order +
-+ sizeof(ORDER) * arg_count_order)))
-+ return;
-+ tmp= (ORDER *)(order + arg_count_order);
-+ for (uint i= 0; i < arg_count_order; i++, tmp++)
-+ {
-+ memcpy(tmp, item->order[i], sizeof(ORDER));
-+ order[i]= tmp;
-+ }
- }
-
-
-diff -Naur mysql-5.1-5.1.49.orig//sql/spatial.cc mysql-5.1-5.1.49/sql/spatial.cc
---- mysql-5.1-5.1.49.orig//sql/spatial.cc 2010-07-09 14:35:15.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/spatial.cc 2010-10-29 21:52:04.000000000 +0200
-@@ -522,7 +522,7 @@
- n_points= wkb_get_uint(wkb, bo);
- proper_length= 4 + n_points * POINT_DATA_SIZE;
-
-- if (len < proper_length || res->reserve(proper_length))
-+ if (!n_points || len < proper_length || res->reserve(proper_length))
- return 0;
-
- res->q_append(n_points);
-@@ -740,7 +740,9 @@
- if (len < 4)
- return 0;
-
-- n_linear_rings= wkb_get_uint(wkb, bo);
-+ if (!(n_linear_rings= wkb_get_uint(wkb, bo)))
-+ return 0;
-+
- if (res->reserve(4, 512))
- return 0;
- wkb+= 4;
-diff -Naur mysql-5.1-5.1.49.orig//sql/sql_select.cc mysql-5.1-5.1.49/sql/sql_select.cc
---- mysql-5.1-5.1.49.orig//sql/sql_select.cc 2010-07-09 14:34:57.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/sql_select.cc 2010-10-29 21:52:50.000000000 +0200
-@@ -2378,13 +2378,8 @@
-
- cleanup(1);
- /* Cleanup items referencing temporary table columns */
-- if (!tmp_all_fields3.is_empty())
-- {
-- List_iterator_fast<Item> it(tmp_all_fields3);
-- Item *item;
-- while ((item= it++))
-- item->cleanup();
-- }
-+ cleanup_item_list(tmp_all_fields1);
-+ cleanup_item_list(tmp_all_fields3);
- if (exec_tmp_table1)
- free_tmp_table(thd, exec_tmp_table1);
- if (exec_tmp_table2)
-@@ -2395,6 +2390,19 @@
- DBUG_RETURN(error);
- }
-
-+
-+void JOIN::cleanup_item_list(List<Item> &items) const
-+{
-+ if (!items.is_empty())
-+ {
-+ List_iterator_fast<Item> it(items);
-+ Item *item;
-+ while ((item= it++))
-+ item->cleanup();
-+ }
-+}
-+
-+
- /**
- An entry point to single-unit select (a select without UNION).
-
-@@ -8875,10 +8883,10 @@
-
- /* Flatten nested joins that can be flattened. */
- TABLE_LIST *right_neighbor= NULL;
-- bool fix_name_res= FALSE;
- li.rewind();
- while ((table= li++))
- {
-+ bool fix_name_res= FALSE;
- nested_join= table->nested_join;
- if (nested_join && !table->on_expr)
- {
-diff -Naur mysql-5.1-5.1.49.orig//sql/sql_select.h mysql-5.1-5.1.49/sql/sql_select.h
---- mysql-5.1-5.1.49.orig//sql/sql_select.h 2010-07-09 14:34:56.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/sql_select.h 2010-10-29 21:52:40.000000000 +0200
-@@ -577,6 +577,7 @@
- */
- bool implicit_grouping;
- bool make_simple_join(JOIN *join, TABLE *tmp_table);
-+ void cleanup_item_list(List<Item> &items) const;
- };
-
-
-diff -Naur mysql-5.1-5.1.49.orig//sql/table.h mysql-5.1-5.1.49/sql/table.h
---- mysql-5.1-5.1.49.orig//sql/table.h 2010-07-09 14:34:54.000000000 +0200
-+++ mysql-5.1-5.1.49/sql/table.h 2010-10-29 21:52:45.000000000 +0200
-@@ -55,7 +55,6 @@
- struct st_order *next;
- Item **item; /* Point at item in select fields */
- Item *item_ptr; /* Storage for initial item */
-- Item **item_copy; /* For SPs; the original item ptr */
- int counter; /* position in SELECT list, correct
- only if counter_used is true*/
- bool asc; /* true if ascending */
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3833.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3833.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3833.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,90 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via incorrect propagation of type errors.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.1.20
+# Bug: http://bugs.mysql.com/bug.php?id=55826
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/suite/innodb/r/innodb_mysql.result mysql-5.1-5.1.49/mysql-test/suite/innodb/r/innodb_mysql.result
+--- mysql-5.1-5.1.49~/mysql-test/suite/innodb/r/innodb_mysql.result 2010-07-09 09:05:40.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/suite/innodb/r/innodb_mysql.result 2010-11-08 11:03:09.000000000 -0500
+@@ -2499,4 +2499,17 @@
+ id select_type table type possible_keys key key_len ref rows Extra
+ 1 SIMPLE t1 range f2,f4 f4 1 NULL 11 Using where
+ DROP TABLE t1;
++#
++# Bug#55826: create table .. select crashes with when KILL_BAD_DATA
++# is returned
++#
++CREATE TABLE t1(a INT) ENGINE=innodb;
++INSERT INTO t1 VALUES (0);
++SET SQL_MODE='STRICT_ALL_TABLES';
++CREATE TABLE t2
++SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`;
++ERROR 22007: Incorrect datetime value: '' for column 'NOW()' at row 1
++DROP TABLE t1,t2;
++ERROR 42S02: Unknown table 't2'
++SET SQL_MODE=DEFAULT;
+ End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/suite/innodb/t/innodb_mysql.test mysql-5.1-5.1.49/mysql-test/suite/innodb/t/innodb_mysql.test
+--- mysql-5.1-5.1.49~/mysql-test/suite/innodb/t/innodb_mysql.test 2010-07-09 09:05:37.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/suite/innodb/t/innodb_mysql.test 2010-11-08 11:03:09.000000000 -0500
+@@ -737,4 +737,19 @@
+
+ DROP TABLE t1;
+
++--echo #
++--echo # Bug#55826: create table .. select crashes with when KILL_BAD_DATA
++--echo # is returned
++--echo #
++
++CREATE TABLE t1(a INT) ENGINE=innodb;
++INSERT INTO t1 VALUES (0);
++SET SQL_MODE='STRICT_ALL_TABLES';
++--error ER_TRUNCATED_WRONG_VALUE
++CREATE TABLE t2
++ SELECT LEAST((SELECT '' FROM t1),NOW()) FROM `t1`;
++DROP TABLE t1,t2;
++SET SQL_MODE=DEFAULT;
++
++
+ --echo End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/item_func.cc mysql-5.1-5.1.49/sql/item_func.cc
+--- mysql-5.1-5.1.49~/sql/item_func.cc 2010-07-09 08:34:56.000000000 -0400
++++ mysql-5.1-5.1.49/sql/item_func.cc 2010-11-08 11:03:09.000000000 -0500
+@@ -2261,7 +2261,7 @@
+ stored to the value pointer, if latter is provided.
+
+ RETURN
+- 0 If one of arguments is NULL
++ 0 If one of arguments is NULL or there was a execution error
+ # index of the least/greatest argument
+ */
+
+@@ -2275,6 +2275,14 @@
+ Item **arg= args + i;
+ bool is_null;
+ longlong res= get_datetime_value(thd, &arg, 0, datetime_item, &is_null);
++
++ /* Check if we need to stop (because of error or KILL) and stop the loop */
++ if (thd->is_error())
++ {
++ null_value= 1;
++ return 0;
++ }
++
+ if ((null_value= args[i]->null_value))
+ return 0;
+ if (i == 0 || (res < min_max ? cmp_sign : -cmp_sign) > 0)
+@@ -2303,6 +2311,12 @@
+ if (null_value)
+ return 0;
+ str_res= args[min_max_idx]->val_str(str);
++ if (args[min_max_idx]->null_value)
++ {
++ // check if the call to val_str() above returns a NULL value
++ null_value= 1;
++ return NULL;
++ }
+ str_res->set_charset(collation.collation);
+ return str_res;
+ }
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3834.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3834.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3834.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,151 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via derived table materializing.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.2.1
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.1.26
+# Bug: http://bugs.mysql.com/bug.php?id=55568
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/join.result mysql-5.1-5.1.49/mysql-test/r/join.result
+--- mysql-5.1-5.1.49~/mysql-test/r/join.result 2010-07-09 09:03:00.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/r/join.result 2010-11-08 11:03:21.000000000 -0500
+@@ -1184,4 +1184,20 @@
+ NULL
+ 1
+ DROP TABLE t1, t2, mm1;
++#
++# Bug #54468: crash after item's print() function when ordering/grouping
++# by subquery
++#
++CREATE TABLE t1(a INT, b INT);
++INSERT INTO t1 VALUES (), ();
++SELECT 1 FROM t1
++GROUP BY
++GREATEST(t1.a,
++(SELECT 1 FROM
++(SELECT t1.b FROM t1,t1 t2
++ORDER BY t1.a, t1.a LIMIT 1) AS d)
++);
++1
++1
++DROP TABLE t1;
+ End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/join.test mysql-5.1-5.1.49/mysql-test/t/join.test
+--- mysql-5.1-5.1.49~/mysql-test/t/join.test 2010-07-09 09:02:30.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/t/join.test 2010-11-08 11:03:21.000000000 -0500
+@@ -851,4 +851,54 @@
+ SELECT t1.a FROM mm1,t1;
+ DROP TABLE t1, t2, mm1;
+
++#--echo #
++#--echo # Bug #55568: user variable assignments crash server when used within
++#--echo # query
++#--echo #
++#
++#
++# This test case is invalidated because of fix of bug 55531
++# The reason is that {1} is not a valid geometric collection.
++#
++#CREATE TABLE t1 (a INT);
++
++#INSERT INTO t1 VALUES (0), (1);
++
++#let $i=2;
++#while ($i)
++#{
++# SELECT MULTIPOINT(
++# 1,
++# (
++# SELECT MULTIPOINT(
++# MULTIPOINT(
++# 1,
++# (SELECT COUNT(*) FROM (SELECT 1 FROM t1 GROUP BY a,a) d)
++# )
++# ) FROM t1
++# )
++# ) != COUNT(*) q FROM t1 GROUP BY a;
++# dec $i;
++#}
++#
++#DROP TABLE t1;
++
++--echo #
++--echo # Bug #54468: crash after item's print() function when ordering/grouping
++--echo # by subquery
++--echo #
++
++CREATE TABLE t1(a INT, b INT);
++INSERT INTO t1 VALUES (), ();
++
++SELECT 1 FROM t1
++GROUP BY
++GREATEST(t1.a,
++ (SELECT 1 FROM
++ (SELECT t1.b FROM t1,t1 t2
++ ORDER BY t1.a, t1.a LIMIT 1) AS d)
++ );
++
++DROP TABLE t1;
++
+ --echo End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/field.cc mysql-5.1-5.1.49/sql/field.cc
+--- mysql-5.1-5.1.49~/sql/field.cc 2010-07-09 08:34:53.000000000 -0400
++++ mysql-5.1-5.1.49/sql/field.cc 2010-11-08 11:03:21.000000000 -0500
+@@ -1535,7 +1535,7 @@
+ }
+ else
+ field->org_table_name= field->db_name= "";
+- if (orig_table)
++ if (orig_table && orig_table->alias)
+ {
+ field->table_name= orig_table->alias;
+ field->org_col_name= field_name;
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/sql_select.cc mysql-5.1-5.1.49/sql/sql_select.cc
+--- mysql-5.1-5.1.49~/sql/sql_select.cc 2010-07-09 08:34:57.000000000 -0400
++++ mysql-5.1-5.1.49/sql/sql_select.cc 2010-11-08 11:03:21.000000000 -0500
+@@ -2378,13 +2378,8 @@
+
+ cleanup(1);
+ /* Cleanup items referencing temporary table columns */
+- if (!tmp_all_fields3.is_empty())
+- {
+- List_iterator_fast<Item> it(tmp_all_fields3);
+- Item *item;
+- while ((item= it++))
+- item->cleanup();
+- }
++ cleanup_item_list(tmp_all_fields1);
++ cleanup_item_list(tmp_all_fields3);
+ if (exec_tmp_table1)
+ free_tmp_table(thd, exec_tmp_table1);
+ if (exec_tmp_table2)
+@@ -2395,6 +2390,19 @@
+ DBUG_RETURN(error);
+ }
+
++
++void JOIN::cleanup_item_list(List<Item> &items) const
++{
++ if (!items.is_empty())
++ {
++ List_iterator_fast<Item> it(items);
++ Item *item;
++ while ((item= it++))
++ item->cleanup();
++ }
++}
++
++
+ /**
+ An entry point to single-unit select (a select without UNION).
+
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/sql_select.h mysql-5.1-5.1.49/sql/sql_select.h
+--- mysql-5.1-5.1.49~/sql/sql_select.h 2010-07-09 08:34:56.000000000 -0400
++++ mysql-5.1-5.1.49/sql/sql_select.h 2010-11-08 11:03:21.000000000 -0500
+@@ -577,6 +577,7 @@
+ */
+ bool implicit_grouping;
+ bool make_simple_join(JOIN *join, TABLE *tmp_table);
++ void cleanup_item_list(List<Item> &items) const;
+ };
+
+
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3835.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3835.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3835.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,86 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via user-variable assignment expression.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.1.18
+# Bug: http://bugs.mysql.com/bug.php?id=55564
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/user_var.result mysql-5.1-5.1.49/mysql-test/r/user_var.result
+--- mysql-5.1-5.1.49~/mysql-test/r/user_var.result 2010-07-09 09:03:13.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/r/user_var.result 2010-11-08 11:03:36.000000000 -0500
+@@ -430,4 +430,21 @@
+ INSERT INTO t1 VALUES (1);
+ INSERT INTO t1 VALUES (1);
+ DROP TABLE t1;
++CREATE TABLE t1(a INT);
++INSERT INTO t1 VALUES (0),(0);
++# BUG#55615 : should not crash
++SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a;
++(@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1)
++1
++1
++# BUG#55564 : should not crash
++SELECT IF(
++ at v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a),
++count(*), 1)
++FROM t1 GROUP BY a LIMIT 1;
++IF(
++ at v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a),
++count(*), 1)
++1
++DROP TABLE t1;
+ End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/user_var.test mysql-5.1-5.1.49/mysql-test/t/user_var.test
+--- mysql-5.1-5.1.49~/mysql-test/t/user_var.test 2010-07-09 09:02:46.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/t/user_var.test 2010-11-08 11:03:36.000000000 -0500
+@@ -328,4 +328,22 @@
+ INSERT INTO t1 VALUES (1);
+ DROP TABLE t1;
+
++#
++# Bug #55615: debug assertion after using variable in assignment and
++# referred to
++# Bug #55564: crash with user variables, assignments, joins...
++#
++
++CREATE TABLE t1(a INT);
++INSERT INTO t1 VALUES (0),(0);
++--echo # BUG#55615 : should not crash
++SELECT (@a:=(SELECT @a:=1 FROM t1 LIMIT 1)) AND COUNT(1) FROM t1 GROUP BY @a;
++--echo # BUG#55564 : should not crash
++SELECT IF(
++ @v:=LEAST((SELECT 1 FROM t1 t2 LEFT JOIN t1 ON (@v) GROUP BY t1.a), a),
++ count(*), 1)
++FROM t1 GROUP BY a LIMIT 1;
++
++DROP TABLE t1;
++
+ --echo End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/item_func.cc mysql-5.1-5.1.49/sql/item_func.cc
+--- mysql-5.1-5.1.49~/sql/item_func.cc 2010-11-08 11:03:31.000000000 -0500
++++ mysql-5.1-5.1.49/sql/item_func.cc 2010-11-08 11:03:36.000000000 -0500
+@@ -4275,6 +4275,14 @@
+ return entry->val_int(&null_value);
+ }
+
++bool Item_func_set_user_var::val_bool_result()
++{
++ DBUG_ASSERT(fixed == 1);
++ check(TRUE);
++ update(); // Store expression
++ return entry->val_int(&null_value) != 0;
++}
++
+ String *Item_func_set_user_var::str_result(String *str)
+ {
+ DBUG_ASSERT(fixed == 1);
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/item_func.h mysql-5.1-5.1.49/sql/item_func.h
+--- mysql-5.1-5.1.49~/sql/item_func.h 2010-07-09 08:35:10.000000000 -0400
++++ mysql-5.1-5.1.49/sql/item_func.h 2010-11-08 11:03:36.000000000 -0500
+@@ -1353,6 +1353,7 @@
+ my_decimal *val_decimal(my_decimal *);
+ double val_result();
+ longlong val_int_result();
++ bool val_bool_result();
+ String *str_result(String *str);
+ my_decimal *val_decimal_result(my_decimal *);
+ bool is_null_result();
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3836.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3836.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3836.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via pre-evaluation of LIKE
+# predicates during view preparation.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3452.1.22
+# Bug: http://bugs.mysql.com/bug.php?id=54568
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/subselect4.result mysql-5.1-5.1.49/mysql-test/r/subselect4.result
+--- mysql-5.1-5.1.49~/mysql-test/r/subselect4.result 2010-07-09 09:03:11.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/r/subselect4.result 2010-11-08 11:03:53.000000000 -0500
+@@ -59,3 +59,24 @@
+ (SELECT 1 FROM t1,t2 WHERE t2.b > t3.b)
+ DROP TABLE t1,t2,t3;
+ End of 5.0 tests.
++#
++# Bug#54568: create view cause Assertion failed: 0,
++# file .\item_subselect.cc, line 836
++#
++EXPLAIN SELECT 1 LIKE ( 1 IN ( SELECT 1 ) );
++id select_type table type possible_keys key key_len ref rows Extra
++1 PRIMARY NULL NULL NULL NULL NULL NULL NULL No tables used
++Warnings:
++Note 1249 Select 2 was reduced during optimization
++DESCRIBE SELECT 1 LIKE ( 1 IN ( SELECT 1 ) );
++id select_type table type possible_keys key key_len ref rows Extra
++1 PRIMARY NULL NULL NULL NULL NULL NULL NULL No tables used
++Warnings:
++Note 1249 Select 2 was reduced during optimization
++# None of the below should crash
++CREATE VIEW v1 AS SELECT 1 LIKE ( 1 IN ( SELECT 1 ) );
++CREATE VIEW v2 AS SELECT 1 LIKE '%' ESCAPE ( 1 IN ( SELECT 1 ) );
++DROP VIEW v1, v2;
++#
++# End of 5.1 tests.
++#
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/subselect4.test mysql-5.1-5.1.49/mysql-test/t/subselect4.test
+--- mysql-5.1-5.1.49~/mysql-test/t/subselect4.test 2010-07-09 09:02:43.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/t/subselect4.test 2010-11-08 11:03:53.000000000 -0500
+@@ -62,3 +62,19 @@
+ DROP TABLE t1,t2,t3;
+
+ --echo End of 5.0 tests.
++
++--echo #
++--echo # Bug#54568: create view cause Assertion failed: 0,
++--echo # file .\item_subselect.cc, line 836
++--echo #
++EXPLAIN SELECT 1 LIKE ( 1 IN ( SELECT 1 ) );
++DESCRIBE SELECT 1 LIKE ( 1 IN ( SELECT 1 ) );
++--echo # None of the below should crash
++CREATE VIEW v1 AS SELECT 1 LIKE ( 1 IN ( SELECT 1 ) );
++CREATE VIEW v2 AS SELECT 1 LIKE '%' ESCAPE ( 1 IN ( SELECT 1 ) );
++DROP VIEW v1, v2;
++
++
++--echo #
++--echo # End of 5.1 tests.
++--echo #
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/item_cmpfunc.cc mysql-5.1-5.1.49/sql/item_cmpfunc.cc
+--- mysql-5.1-5.1.49~/sql/item_cmpfunc.cc 2010-07-09 08:34:57.000000000 -0400
++++ mysql-5.1-5.1.49/sql/item_cmpfunc.cc 2010-11-08 11:03:53.000000000 -0500
+@@ -4606,7 +4606,7 @@
+ return TRUE;
+ }
+
+- if (escape_item->const_item())
++ if (escape_item->const_item() && !thd->lex->view_prepare_mode)
+ {
+ /* If we are on execution stage */
+ String *escape_str= escape_item->val_str(&cmp.value1);
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3837.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3837.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3837.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,120 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via use of GROUP_CONCAT() and
+# WITH ROLLUP together
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.1.7
+# Bug: http://bugs.mysql.com/bug.php?id=54476
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/func_gconcat.result mysql-5.1-5.1.49/mysql-test/r/func_gconcat.result
+--- mysql-5.1-5.1.49~/mysql-test/r/func_gconcat.result 2010-07-09 09:02:55.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/r/func_gconcat.result 2010-11-08 11:04:05.000000000 -0500
+@@ -995,6 +995,7 @@
+ 1
+ 1
+ DROP TABLE t1;
++End of 5.0 tests
+ #
+ # Bug #52397: another crash with explain extended and group_concat
+ #
+@@ -1010,4 +1011,22 @@
+ Warnings:
+ Note 1003 select 1 AS `1` from (select group_concat(`test`.`t1`.`a` order by `test`.`t1`.`a` ASC separator ',') AS `GROUP_CONCAT(t1.a ORDER BY t1.a ASC)` from `test`.`t1` `t2` join `test`.`t1` group by `test`.`t1`.`a`) `d`
+ DROP TABLE t1;
+-End of 5.0 tests
++#
++# Bug #54476: crash when group_concat and 'with rollup' in prepared statements
++#
++CREATE TABLE t1 (a INT);
++INSERT INTO t1 VALUES (1), (2);
++PREPARE stmt FROM "SELECT GROUP_CONCAT(t1.a ORDER BY t1.a) FROM t1 JOIN t1 t2 GROUP BY t1.a WITH ROLLUP";
++EXECUTE stmt;
++GROUP_CONCAT(t1.a ORDER BY t1.a)
++1,1
++2,2
++1,1,2,2
++EXECUTE stmt;
++GROUP_CONCAT(t1.a ORDER BY t1.a)
++1,1
++2,2
++1,1,2,2
++DEALLOCATE PREPARE stmt;
++DROP TABLE t1;
++End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/func_gconcat.test mysql-5.1-5.1.49/mysql-test/t/func_gconcat.test
+--- mysql-5.1-5.1.49~/mysql-test/t/func_gconcat.test 2010-07-09 09:02:26.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/t/func_gconcat.test 2010-11-08 11:04:05.000000000 -0500
+@@ -708,6 +708,7 @@
+
+ DROP TABLE t1;
+
++--echo End of 5.0 tests
+
+ --echo #
+ --echo # Bug #52397: another crash with explain extended and group_concat
+@@ -719,5 +720,18 @@
+ t1 t2, t1 GROUP BY t1.a) AS d;
+ DROP TABLE t1;
+
++--echo #
++--echo # Bug #54476: crash when group_concat and 'with rollup' in prepared statements
++--echo #
++
++CREATE TABLE t1 (a INT);
++INSERT INTO t1 VALUES (1), (2);
+
+---echo End of 5.0 tests
++PREPARE stmt FROM "SELECT GROUP_CONCAT(t1.a ORDER BY t1.a) FROM t1 JOIN t1 t2 GROUP BY t1.a WITH ROLLUP";
++EXECUTE stmt;
++EXECUTE stmt;
++
++DEALLOCATE PREPARE stmt;
++DROP TABLE t1;
++
++--echo End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/item_sum.cc mysql-5.1-5.1.49/sql/item_sum.cc
+--- mysql-5.1-5.1.49~/sql/item_sum.cc 2010-07-09 08:34:53.000000000 -0400
++++ mysql-5.1-5.1.49/sql/item_sum.cc 2010-11-08 11:04:05.000000000 -0500
+@@ -3034,7 +3034,6 @@
+ tree(item->tree),
+ unique_filter(item->unique_filter),
+ table(item->table),
+- order(item->order),
+ context(item->context),
+ arg_count_order(item->arg_count_order),
+ arg_count_field(item->arg_count_field),
+@@ -3047,6 +3046,24 @@
+ {
+ quick_group= item->quick_group;
+ result.set_charset(collation.collation);
++
++ /*
++ Since the ORDER structures pointed to by the elements of the 'order' array
++ may be modified in find_order_in_list() called from
++ Item_func_group_concat::setup(), create a copy of those structures so that
++ such modifications done in this object would not have any effect on the
++ object being copied.
++ */
++ ORDER *tmp;
++ if (!(order= (ORDER **) thd->alloc(sizeof(ORDER *) * arg_count_order +
++ sizeof(ORDER) * arg_count_order)))
++ return;
++ tmp= (ORDER *)(order + arg_count_order);
++ for (uint i= 0; i < arg_count_order; i++, tmp++)
++ {
++ memcpy(tmp, item->order[i], sizeof(ORDER));
++ order[i]= tmp;
++ }
+ }
+
+
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/table.h mysql-5.1-5.1.49/sql/table.h
+--- mysql-5.1-5.1.49~/sql/table.h 2010-07-09 08:34:54.000000000 -0400
++++ mysql-5.1-5.1.49/sql/table.h 2010-11-08 11:04:05.000000000 -0500
+@@ -55,7 +55,6 @@
+ struct st_order *next;
+ Item **item; /* Point at item in select fields */
+ Item *item_ptr; /* Storage for initial item */
+- Item **item_copy; /* For SPs; the original item ptr */
+ int counter; /* position in SELECT list, correct
+ only if counter_used is true*/
+ bool asc; /* true if ascending */
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3838.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3838.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3838.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,61 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via longblob and union or update with subquery.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.1.8
+# Bug: http://bugs.mysql.com/bug.php?id=54461
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/func_misc.result mysql-5.1-5.1.49/mysql-test/r/func_misc.result
+--- mysql-5.1-5.1.49~/mysql-test/r/func_misc.result 2010-07-09 09:02:55.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/r/func_misc.result 2010-11-08 11:04:23.000000000 -0500
+@@ -336,4 +336,19 @@
+ select connection_id() > 0;
+ connection_id() > 0
+ 1
++#
++# Bug #54461: crash with longblob and union or update with subquery
++#
++CREATE TABLE t1 (a INT, b LONGBLOB);
++INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2');
++SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
++LEAST(a, (SELECT b FROM t1 LIMIT 1))
++1
++2
++SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
++GREATEST(a, (SELECT b FROM t1 LIMIT 1))
++2
++3
++1
++DROP TABLE t1;
+ End of tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/func_misc.test mysql-5.1-5.1.49/mysql-test/t/func_misc.test
+--- mysql-5.1-5.1.49~/mysql-test/t/func_misc.test 2010-07-09 09:02:27.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/t/func_misc.test 2010-11-08 11:04:23.000000000 -0500
+@@ -467,4 +467,16 @@
+
+ select connection_id() > 0;
+
++--echo #
++--echo # Bug #54461: crash with longblob and union or update with subquery
++--echo #
++
++CREATE TABLE t1 (a INT, b LONGBLOB);
++INSERT INTO t1 VALUES (1, '2'), (2, '3'), (3, '2');
++
++SELECT DISTINCT LEAST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
++SELECT DISTINCT GREATEST(a, (SELECT b FROM t1 LIMIT 1)) FROM t1 UNION SELECT 1;
++
++DROP TABLE t1;
++
+ --echo End of tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/item_func.cc mysql-5.1-5.1.49/sql/item_func.cc
+--- mysql-5.1-5.1.49~/sql/item_func.cc 2010-11-08 11:04:19.000000000 -0500
++++ mysql-5.1-5.1.49/sql/item_func.cc 2010-11-08 11:04:23.000000000 -0500
+@@ -2243,6 +2243,8 @@
+ max_length= my_decimal_precision_to_length_no_truncation(max_int_part +
+ decimals, decimals,
+ unsigned_flag);
++ else if (cmp_type == REAL_RESULT)
++ max_length= float_length(decimals);
+ cached_field_type= agg_field_type(args, arg_count);
+ }
+
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3839.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3839.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3839.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,77 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fixdenial of service via certain queries with nested joins.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3461.3.1
+# Bug: http://bugs.mysql.com/bug.php?id=53544
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/join.result mysql-5.1-5.1.49/mysql-test/r/join.result
+--- mysql-5.1-5.1.49~/mysql-test/r/join.result 2010-11-08 11:04:33.000000000 -0500
++++ mysql-5.1-5.1.49/mysql-test/r/join.result 2010-11-08 11:05:51.000000000 -0500
+@@ -1200,4 +1200,24 @@
+ 1
+ 1
+ DROP TABLE t1;
++#
++# Bug #53544: Server hangs during JOIN query in stored procedure called
++# twice in a row
++#
++CREATE TABLE t1(c INT);
++INSERT INTO t1 VALUES (1), (2);
++PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN
++ t1 t2 ON t1.c=t2.c RIGHT JOIN
++ t1 t3 ON t1.c=t3.c
++ GROUP BY f1;";
++EXECUTE stmt;
++f1
++1
++2
++EXECUTE stmt;
++f1
++1
++2
++DEALLOCATE PREPARE stmt;
++DROP TABLE t1;
+ End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/join.test mysql-5.1-5.1.49/mysql-test/t/join.test
+--- mysql-5.1-5.1.49~/mysql-test/t/join.test 2010-11-08 11:04:33.000000000 -0500
++++ mysql-5.1-5.1.49/mysql-test/t/join.test 2010-11-08 11:05:10.000000000 -0500
+@@ -901,4 +901,24 @@
+
+ DROP TABLE t1;
+
++--echo #
++--echo # Bug #53544: Server hangs during JOIN query in stored procedure called
++--echo # twice in a row
++--echo #
++
++CREATE TABLE t1(c INT);
++
++INSERT INTO t1 VALUES (1), (2);
++
++PREPARE stmt FROM "SELECT t2.c AS f1 FROM t1 LEFT JOIN
++ t1 t2 ON t1.c=t2.c RIGHT JOIN
++ t1 t3 ON t1.c=t3.c
++ GROUP BY f1;";
++
++EXECUTE stmt;
++EXECUTE stmt;
++
++DEALLOCATE PREPARE stmt;
++DROP TABLE t1;
++
+ --echo End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/sql_select.cc mysql-5.1-5.1.49/sql/sql_select.cc
+--- mysql-5.1-5.1.49~/sql/sql_select.cc 2010-11-08 11:04:33.000000000 -0500
++++ mysql-5.1-5.1.49/sql/sql_select.cc 2010-11-08 11:05:10.000000000 -0500
+@@ -8883,10 +8883,10 @@
+
+ /* Flatten nested joins that can be flattened. */
+ TABLE_LIST *right_neighbor= NULL;
+- bool fix_name_res= FALSE;
+ li.rewind();
+ while ((table= li++))
+ {
++ bool fix_name_res= FALSE;
+ nested_join= table->nested_join;
+ if (nested_join && !table->on_expr)
+ {
Added: mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3840.dpatch
===================================================================
--- mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3840.dpatch (rev 0)
+++ mysql-dfsg-5.1/branches/unstable/debian/patches/61_CVE-2010-3840.dpatch 2010-11-30 08:19:54 UTC (rev 1917)
@@ -0,0 +1,62 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via PolyFromWKB() function and improper data.
+# Origin: upstream, http://bazaar.launchpad.net/~mysql/mysql-server/mysql-5.1/revision/3452.1.42
+# Bug: http://bugs.mysql.com/bug.php?id=51875
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/r/gis.result mysql-5.1-5.1.49/mysql-test/r/gis.result
+--- mysql-5.1-5.1.49~/mysql-test/r/gis.result 2010-07-09 09:02:56.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/r/gis.result 2010-11-08 11:07:09.000000000 -0500
+@@ -1057,4 +1057,11 @@
+ SELECT Polygon(12345123,'');
+ Polygon(12345123,'')
+ NULL
++#
++# BUG#51875: crash when loading data into geometry function polyfromwkb
++#
++SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
++SET @a=POLYFROMWKB(@a);
++SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
++SET @a=POLYFROMWKB(@a);
+ End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/mysql-test/t/gis.test mysql-5.1-5.1.49/mysql-test/t/gis.test
+--- mysql-5.1-5.1.49~/mysql-test/t/gis.test 2010-07-09 09:02:27.000000000 -0400
++++ mysql-5.1-5.1.49/mysql-test/t/gis.test 2010-11-08 11:07:09.000000000 -0500
+@@ -722,4 +722,14 @@
+ SELECT Polygon(1234512,'');
+ SELECT Polygon(12345123,'');
+
++
++--echo #
++--echo # BUG#51875: crash when loading data into geometry function polyfromwkb
++--echo #
++SET @a=0x00000000030000000100000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
++SET @a=POLYFROMWKB(@a);
++SET @a=0x00000000030000000000000000000000000000000000144000000000000014400000000000001840000000000000184000000000000014400000000000001440;
++SET @a=POLYFROMWKB(@a);
++
++
+ --echo End of 5.1 tests
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' mysql-5.1-5.1.49~/sql/spatial.cc mysql-5.1-5.1.49/sql/spatial.cc
+--- mysql-5.1-5.1.49~/sql/spatial.cc 2010-07-09 08:35:15.000000000 -0400
++++ mysql-5.1-5.1.49/sql/spatial.cc 2010-11-08 11:07:09.000000000 -0500
+@@ -522,7 +522,7 @@
+ n_points= wkb_get_uint(wkb, bo);
+ proper_length= 4 + n_points * POINT_DATA_SIZE;
+
+- if (len < proper_length || res->reserve(proper_length))
++ if (!n_points || len < proper_length || res->reserve(proper_length))
+ return 0;
+
+ res->q_append(n_points);
+@@ -740,7 +740,9 @@
+ if (len < 4)
+ return 0;
+
+- n_linear_rings= wkb_get_uint(wkb, bo);
++ if (!(n_linear_rings= wkb_get_uint(wkb, bo)))
++ return 0;
++
+ if (res->reserve(4, 512))
+ return 0;
+ wkb+= 4;
More information about the Pkg-mysql-commits
mailing list