Skip to content

Commit 264843a

Browse files
committed
Merge branch 'bb-10.6-release' into 10.11
2 parents 4d06d7b + 05f36e6 commit 264843a

3 files changed

Lines changed: 36 additions & 8 deletions

File tree

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
#
2+
# MDEV-4462 mysqld gets SIGFPE when mysql.user table is empty
3+
#
14
create table t1 as select * from mysql.global_priv;
25
truncate table mysql.global_priv;
36
flush privileges;
@@ -14,3 +17,14 @@ connect(localhost,u1,,test,MASTER_PORT,MASTER_SOCKET);
1417
connect fail,localhost,u1;
1518
Got one of the listed errors
1619
# switching back from mysql.user to mysql.global_priv
20+
#
21+
# MDEV-39266 Stack Overflow via alloca() in Privilege Table JSON Parser
22+
#
23+
INSERT INTO mysql.global_priv (Host, User, Priv) VALUES
24+
('localhost', 'MDEV-39266', CONCAT(
25+
'{"access":0,"plugin":"mysql_native_password","authentication_string":"',
26+
REPEAT('X', 400000),
27+
'","password_last_changed":0}'));
28+
FLUSH PRIVILEGES;
29+
DROP USER `MDEV-39266`@localhost;
30+
# End if 10.6 tests
Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
#
2-
# MDEV-4462 mysqld gets SIGFPE when mysql.user table is empty
3-
#
4-
51
source include/not_embedded.inc;
62

3+
--echo #
4+
--echo # MDEV-4462 mysqld gets SIGFPE when mysql.user table is empty
5+
--echo #
6+
77
create table t1 as select * from mysql.global_priv;
88
truncate table mysql.global_priv;
99
flush privileges;
@@ -34,3 +34,17 @@ flush privileges;
3434
connect (fail,localhost,u1);
3535

3636
source include/switch_to_mysql_global_priv.inc;
37+
38+
--echo #
39+
--echo # MDEV-39266 Stack Overflow via alloca() in Privilege Table JSON Parser
40+
--echo #
41+
42+
INSERT INTO mysql.global_priv (Host, User, Priv) VALUES
43+
('localhost', 'MDEV-39266', CONCAT(
44+
'{"access":0,"plugin":"mysql_native_password","authentication_string":"',
45+
REPEAT('X', 400000),
46+
'","password_last_changed":0}'));
47+
FLUSH PRIVILEGES;
48+
DROP USER `MDEV-39266`@localhost;
49+
50+
--echo # End if 10.6 tests

sql/sql_acl.cc

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1776,17 +1776,17 @@ class User_table_json: public User_table
17761776
const char *value_start;
17771777
if (get_value(key, JSV_STRING, &value_start, &value_len))
17781778
return "";
1779-
char *ptr= (char*)alloca(value_len);
1779+
char *ptr= (char*)my_safe_alloca(value_len);
17801780
if (!ptr)
17811781
return NULL;
17821782
int len= json_unescape(m_table->field[2]->charset(),
17831783
(const uchar*)value_start,
17841784
(const uchar*)value_start + value_len,
17851785
system_charset_info,
17861786
(uchar*)ptr, (uchar*)ptr + value_len);
1787-
if (len < 0)
1788-
return NULL;
1789-
return strmake_root(root, ptr, len);
1787+
const char *js= len < 0 ? NULL : strmake_root(root, ptr, len);
1788+
my_safe_afree(ptr, value_len);
1789+
return js;
17901790
}
17911791
longlong get_int_value(const char *key, longlong def_val= 0) const
17921792
{

0 commit comments

Comments
 (0)