From d7e118aa5b46ed8072bd8590fb574357c5cefb88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Tue, 29 Nov 2016 15:46:45 +0100
Subject: Fix a crash when executing prepared statements after rebinding
parameters
---
DBD-mysql-4.033-Pali-s-fix.patch | 120 +++++++++++++++++++++++++++++++++++++++
perl-DBD-MySQL.spec | 9 ++-
2 files changed, 128 insertions(+), 1 deletion(-)
create mode 100644 DBD-mysql-4.033-Pali-s-fix.patch
diff --git a/DBD-mysql-4.033-Pali-s-fix.patch b/DBD-mysql-4.033-Pali-s-fix.patch
new file mode 100644
index 0000000..1c7f35c
--- /dev/null
+++ b/DBD-mysql-4.033-Pali-s-fix.patch
@@ -0,0 +1,120 @@
+From 1675153d5a97620ea232d32f734ff6ad0a152558 Mon Sep 17 00:00:00 2001
+From: "Patrick M. Galbraith" <p...@hp.com>
+Date: Wed, 5 Oct 2016 09:14:40 -0400
+Subject: [PATCH] Pali's fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 4.033:
+
+commit a0adc032330b0209d6f8dc6b7179689b9fd243ce
+Author: Patrick M. Galbraith <p...@hp.com>
+Date: Wed Oct 5 09:14:40 2016 -0400
+
+ Testing Pali's fix
+
+commit 988368c7c14b48cadc5459c0725f1d9540ce1ede
+Author: Patrick Galbraith <p...@patg.net>
+Date: Fri Oct 14 19:59:25 2016 +0000
+
+ Release 4.037_01 with Pali's fix
+
+commit bf524018a0df488e6c02d919f2affb146b11f16a
+Author: Pali <p...@cpan.org>
+Date: Wed Oct 19 19:48:58 2016 +0200
+
+ Decrease length of bind params in t/40server_prepare_crash.t test
+
+ This should fix test for mysql with low max_allowed_packet size
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ dbdimp.c | 19 +++++++------------
+ t/40server_prepare_crash.t | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 40 insertions(+), 12 deletions(-)
+ create mode 100644 t/40server_prepare_crash.t
+
+diff --git a/dbdimp.c b/dbdimp.c
+index deec357..8cb837d 100644
+--- a/dbdimp.c
++++ b/dbdimp.c
+@@ -4930,10 +4930,6 @@ int dbd_bind_ph(SV *sth, imp_sth_t *imp_sth, SV *param,
SV *value,
+
+ /* Type of column was changed. Force to rebind */
+ if (imp_sth->bind[idx].buffer_type != buffer_type) {
+- /* Note: this looks like being another bug:
+- * if type of parameter N changes, then a bind is triggered
+- * with an only partially filled bind structure ??
+- */
+ if (DBIc_TRACE_LEVEL(imp_xxh) >= 2)
+ PerlIO_printf(DBIc_LOGPIO(imp_xxh),
+ " FORCE REBIND: buffer type changed from %d to %d,
sql-type=%d\n",
+@@ -4941,18 +4937,17 @@ int dbd_bind_ph(SV *sth, imp_sth_t *imp_sth, SV
*param, SV *value,
+ imp_sth->has_been_bound = 0;
+ }
+
+- /* prepare has not been called */
+- if (imp_sth->has_been_bound == 0)
+- {
+- imp_sth->bind[idx].buffer_type= buffer_type;
+- imp_sth->bind[idx].buffer= buffer;
+- imp_sth->bind[idx].buffer_length= buffer_length;
+- }
+- else /* prepare has been called */
++ /* prepare has been called */
++ if (imp_sth->has_been_bound)
+ {
+ imp_sth->stmt->params[idx].buffer= buffer;
+ imp_sth->stmt->params[idx].buffer_length= buffer_length;
+ }
++
++ imp_sth->bind[idx].buffer_type= buffer_type;
++ imp_sth->bind[idx].buffer= buffer;
++ imp_sth->bind[idx].buffer_length= buffer_length;
++
+ imp_sth->fbind[idx].length= buffer_length;
+ imp_sth->fbind[idx].is_null= buffer_is_null;
+ }
+diff --git a/t/40server_prepare_crash.t b/t/40server_prepare_crash.t
+new file mode 100644
+index 0000000..ea732f7
+--- /dev/null
++++ b/t/40server_prepare_crash.t
+@@ -0,0 +1,33 @@
++use strict;
++use warnings;
++
++use Test::More;
++use DBI;
++
++use vars qw($test_dsn $test_user $test_password);
++require "t/lib.pl";
++
++my $dbh = eval { DBI->connect($test_dsn, $test_user, $test_password, {
PrintError => 1, RaiseError => 1, AutoCommit => 0, mysql_server_prepare => 1 })
};
++plan skip_all => "no database connection" if $@ or not $dbh;
++
++plan tests => 13;
++
++ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n TEXT)");
++
++ok my $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?");
++
++ok $sth->bind_param(2, "x" x 1000000);
++ok $sth->bind_param(1, "abcx", 12);
++ok $sth->execute();
++
++ok $sth->bind_param(2, "a" x 1000000);
++ok $sth->bind_param(1, 1, 3);
++ok $sth->execute();
++
++ok $sth->finish();
++
++ok $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?");
++ok $sth->execute();
++ok $sth->finish();
++
++ok $dbh->disconnect();
+--
+2.7.4
+
diff --git a/perl-DBD-MySQL.spec b/perl-DBD-MySQL.spec
index 788b8f8..8acb9bc 100644
--- a/perl-DBD-MySQL.spec
+++ b/perl-DBD-MySQL.spec
@@ -1,6 +1,6 @@
Name: perl-DBD-MySQL
Version: 4.033
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: A MySQL interface for Perl
Group: Development/Libraries
License: GPL+ or Artistic
@@ -8,6 +8,9 @@ URL: http://search.cpan.org/dist/DBD-mysql/
Source0:
http://www.cpan.org/authors/id/C/CA/CAPTTOFU/DBD-mysql-%{version}.tar.gz
Patch0: DBD-MySQL-4.035-Fix-use-after-free-error.patch
Patch1:
DBD-MySQL-4.037-Do-not-use-unsafe-sprintf-w-variable-length-input.patch
+# Fix a crash when executing prepared statements after rebinding parameters,
+# in upstream after 4.037
+Patch2: DBD-mysql-4.033-Pali-s-fix.patch
BuildRequires: mariadb, mariadb-devel, zlib-devel
BuildRequires: coreutils
BuildRequires: findutils
@@ -41,6 +44,7 @@ management system.
%setup -q -n DBD-mysql-%{version}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
# Correct file permissions
find . -type f | xargs chmod -x
@@ -74,6 +78,9 @@ find %{buildroot} -type f -name '*.bs' -empty -exec rm -f {}
';'
%{_mandir}/man3/*.3*
%changelog
+* Tue Nov 29 2016 Petr Pisar <ppi...@redhat.com> - 4.033-4
+- Fix a crash when executing prepared statements after rebinding parameters
+
* Mon Oct 03 2016 Jitka Plesnikova <jples...@redhat.com> - 4.033-3
- Do not use unsafe sprintf w/variable length input (CVE-2016-1246)
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-DBD-MySQL.git/commit/?h=f23&id=d7e118aa5b46ed8072bd8590fb574357c5cefb88
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
