Bug #6167 One element missing in 'uc_update_queries[]' in "sql/sql_parse.cc"
Submitted: 20 Oct 2004 1:19 Modified: 22 Oct 2004 7:00
Reporter: Kent Boortz Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:>= 4.1 OS:Any (any)
Assigned to: Kent Boortz CPU Architecture:Any

[20 Oct 2004 1:19] Kent Boortz
Description:
An array 'uc_update_queries' with flags is used from 
is_update_query(). In some situations the 'command'
argument is SQLCOM_END making the function access
one byte beyond the array end.

How to repeat:
Add the assert

 bool is_update_query(enum enum_sql_command command)
  {
    DBUG_ASSERT(command >= 0 && command < SQLCOM_END);
    return uc_update_queries[command];
  }

compile with debugging on and run the test

 % ./mysql-test-run --do-test=kill

Suggested fix:
--- sql/sql_parse.cc.ORIG       Tue Oct 19 23:33:41 2004
+++ sql/sql_parse.cc    Wed Oct 20 02:54:08 2004
@@ -501,12 +501,17 @@
 /*
   Mark all commands that somehow changes a table
   This is used to check number of updates / hour
+
+  sql_command is actually set to SQLCOM_END sometimes
+  so we need the +1 to include it in the array.
 */
 
-char  uc_update_queries[SQLCOM_END];
+char  uc_update_queries[SQLCOM_END+1];
 
 void init_update_queries(void)
 {
+  bzero((gptr) &uc_update_queries, sizeof(uc_update_queries));
+
   uc_update_queries[SQLCOM_CREATE_TABLE]=1;
   uc_update_queries[SQLCOM_CREATE_INDEX]=1;
   uc_update_queries[SQLCOM_ALTER_TABLE]=1;
@@ -531,6 +536,7 @@
 
 bool is_update_query(enum enum_sql_command command)
 {
+  DBUG_ASSERT(command >= 0 && command <= SQLCOM_END);
   return uc_update_queries[command];
 }