Description:
An array 'uc_update_queries' with flags is used from
is_update_query(). In some situations the 'command'
argument is SQLCOM_END making the function access
one byte beyond the array end.
How to repeat:
Add the assert
bool is_update_query(enum enum_sql_command command)
{
DBUG_ASSERT(command >= 0 && command < SQLCOM_END);
return uc_update_queries[command];
}
compile with debugging on and run the test
% ./mysql-test-run --do-test=kill
Suggested fix:
--- sql/sql_parse.cc.ORIG Tue Oct 19 23:33:41 2004
+++ sql/sql_parse.cc Wed Oct 20 02:54:08 2004
@@ -501,12 +501,17 @@
/*
Mark all commands that somehow changes a table
This is used to check number of updates / hour
+
+ sql_command is actually set to SQLCOM_END sometimes
+ so we need the +1 to include it in the array.
*/
-char uc_update_queries[SQLCOM_END];
+char uc_update_queries[SQLCOM_END+1];
void init_update_queries(void)
{
+ bzero((gptr) &uc_update_queries, sizeof(uc_update_queries));
+
uc_update_queries[SQLCOM_CREATE_TABLE]=1;
uc_update_queries[SQLCOM_CREATE_INDEX]=1;
uc_update_queries[SQLCOM_ALTER_TABLE]=1;
@@ -531,6 +536,7 @@
bool is_update_query(enum enum_sql_command command)
{
+ DBUG_ASSERT(command >= 0 && command <= SQLCOM_END);
return uc_update_queries[command];
}