InnoDB cleanup: fixing buffer overflows and quoting of quotes

dtuple_t*

dict_create_sys_tables_tuple(

/*=========================*/

				/* out: the tuple which should be inserted */

	dict_table_t*	table, 	/* in: table */

	mem_heap_t*	heap);	/* in: memory heap from which the memory for

				the built tuple is allocated */

/*********************************************************************

Based on a table object, this function builds the entry to be inserted

in the SYS_COLUMNS system table. */

static

dtuple_t*

dict_create_sys_columns_tuple(

/*==========================*/

				/* out: the tuple which should be inserted */

	dict_table_t*	table, 	/* in: table */

	ulint		i,	/* in: column number */

	mem_heap_t*	heap);	/* in: memory heap from which the memory for

				the built tuple is allocated */

/*********************************************************************

Based on an index object, this function builds the entry to be inserted

in the SYS_INDEXES system table. */

static

dtuple_t*

dict_create_sys_indexes_tuple(

/*==========================*/

				/* out: the tuple which should be inserted */

	dict_index_t*	index, 	/* in: index */

	mem_heap_t*	heap,	/* in: memory heap from which the memory for

				the built tuple is allocated */

	trx_t*		trx);	/* in: transaction handle */

/*********************************************************************

Based on an index object, this function builds the entry to be inserted

in the SYS_FIELDS system table. */

static

dtuple_t*

dict_create_sys_fields_tuple(

/*=========================*/

				/* out: the tuple which should be inserted */

	dict_index_t*	index, 	/* in: index */

	ulint		i,	/* in: field number */

	mem_heap_t*	heap);	/* in: memory heap from which the memory for

				the built tuple is allocated */

/*********************************************************************

Creates the tuple with which the index entry is searched for

writing the index tree root page number, if such a tree is created. */

static

dtuple_t*

dict_create_search_tuple(

/*=====================*/

				/* out: the tuple for search */

	dtuple_t*	tuple,	/* in: the tuple inserted in the SYS_INDEXES

				table */

	mem_heap_t*	heap);	/* in: memory heap from which the memory for

				the built tuple is allocated */

/*********************************************************************

Based on a table object, this function builds the entry to be inserted

in the SYS_TABLES system table. */

static

dtuple_t*

dict_create_sys_tables_tuple(

/*=========================*/

				/* out: the tuple which should be inserted */

	dict_table_t*	table, 	/* in: table */

	mem_heap_t*	heap)	/* in: memory heap from which the memory for

				the built tuple is allocated */

/*==========================*/

				/* out: the tuple which should be inserted */

	dict_index_t*	index, 	/* in: index */

	mem_heap_t*	heap,	/* in: memory heap from which the memory for

	mem_heap_t*	heap)	/* in: memory heap from which the memory for

				the built tuple is allocated */

	trx_t*		trx)	/* in: transaction handle */

{

	dict_table_t*	sys_indexes;

	dict_table_t*	table;

	dfield_t*	dfield;

	byte*		ptr;

	UT_NOT_USED(trx);

#ifdef UNIV_SYNC_DEBUG

	ut_ad(mutex_own(&(dict_sys->mutex)));

#endif /* UNIV_SYNC_DEBUG */

	dfield_set_data(dfield, ptr, 4);

	/* 7: SPACE --------------------------*/

	ut_a(DICT_SYS_INDEXES_SPACE_NO_FIELD == 7);

#if DICT_SYS_INDEXES_SPACE_NO_FIELD != 7

#error "DICT_SYS_INDEXES_SPACE_NO_FIELD != 7"

#endif

	dfield = dtuple_get_nth_field(entry, 5);

	dfield_set_data(dfield, ptr, 4);

	/* 8: PAGE_NO --------------------------*/

	ut_a(DICT_SYS_INDEXES_PAGE_NO_FIELD == 8);

#if DICT_SYS_INDEXES_PAGE_NO_FIELD != 8

#error "DICT_SYS_INDEXES_PAGE_NO_FIELD != 8"

#endif

	dfield = dtuple_get_nth_field(entry, 6);

	index->page_no = FIL_NULL;

	row = dict_create_sys_indexes_tuple(index, node->heap,

							thr_get_trx(thr));

	row = dict_create_sys_indexes_tuple(index, node->heap);

	node->ind_row = row;

	ins_node_set_new_row(node->ind_def, row);

dict_create_index_tree_step(

/*========================*/

				/* out: DB_SUCCESS or DB_OUT_OF_FILE_SPACE */

	que_thr_t*	thr,	/* in: query thread */

	ind_node_t*	node)	/* in: index create node */

{

	dict_index_t*	index;

#ifdef UNIV_SYNC_DEBUG

	ut_ad(mutex_own(&(dict_sys->mutex)));

#endif /* UNIV_SYNC_DEBUG */

	UT_NOT_USED(thr);

	index = node->index;	

	table = node->table;

	if (node->state == INDEX_CREATE_INDEX_TREE) {

		err = dict_create_index_tree_step(thr, node);

		err = dict_create_index_tree_step(node);

		if (err != DB_SUCCESS) {

	que_t*		graph;

	ulint		number	= start_id + 1;

	ulint		len;

	ulint		namelen;

	ulint		error;

	char*		ebuf	= dict_foreign_err_buf;

	ulint		i;

	char		buf[10000];

	char*		sql;

	char*		sqlend;

	/* This procedure builds an InnoDB stored procedure which will insert

	the necessary rows into SYS_FOREIGN and SYS_FOREIGN_COLS. */

	static const char str1[] = "PROCEDURE ADD_FOREIGN_DEFS_PROC () IS\n"

	"BEGIN\n"

	"INSERT INTO SYS_FOREIGN VALUES(";

	static const char str2[] = ");\n";

	static const char str3[] =

	"INSERT INTO SYS_FOREIGN_COLS VALUES(";

	static const char str4[] =

	"COMMIT WORK;\n"

	"END;\n";

#ifdef UNIV_SYNC_DEBUG

	ut_ad(mutex_own(&(dict_sys->mutex)));

		return(DB_SUCCESS);

	}

	/* Build an InnoDB stored procedure which will insert the necessary

	rows to SYS_FOREIGN and SYS_FOREIGN_COLS */

	len = 0;

	len += sprintf(buf,

	"PROCEDURE ADD_FOREIGN_DEFS_PROC () IS\n"

	"BEGIN\n");

	namelen = strlen(table->name);

	ut_a(namelen < MAX_TABLE_NAME_LEN);

	if (foreign->id == NULL) {

		/* Generate a new constraint id */

		foreign->id = mem_heap_alloc(foreign->heap, namelen + 20);

		ulint	namelen	= strlen(table->name);

		char*	id	= mem_heap_alloc(foreign->heap, namelen + 20);

		/* no overflow if number < 1e13 */

		sprintf(foreign->id, "%s_ibfk_%lu", table->name, number);

		number++;

		sprintf(id, "%s_ibfk_%lu", table->name, number++);

		foreign->id = id;

	}

	ut_a(strlen(foreign->id) < MAX_IDENTIFIER_LEN);

	ut_a(len < (sizeof buf)

		- 46 - 2 * MAX_TABLE_NAME_LEN - MAX_IDENTIFIER_LEN - 20);

	len = (sizeof str1) + (sizeof str2) + (sizeof str4) - 3

		+ 9/* ' and , chars */ + 10/* 32-bit integer */

		+ ut_strlenq(foreign->id, '\'') * (foreign->n_fields + 1)

		+ ut_strlenq(table->name, '\'')

		+ ut_strlenq(foreign->referenced_table_name, '\'');

	for (i = 0; i < foreign->n_fields; i++) {

		len += 9/* ' and , chars */ + 10/* 32-bit integer */

			+ (sizeof str3) + (sizeof str2) - 2

			+ ut_strlenq(foreign->foreign_col_names[i], '\'')

			+ ut_strlenq(foreign->referenced_col_names[i], '\'');

	}

	len += sprintf(buf + len,

	"INSERT INTO SYS_FOREIGN VALUES('%s', '%s', '%s', %lu);\n",

					foreign->id,

					table->name,

					foreign->referenced_table_name,

					foreign->n_fields

					+ (foreign->type << 24));

	sql = sqlend = mem_alloc(len + 1);

	/* INSERT INTO SYS_FOREIGN VALUES(...); */

	memcpy(sqlend, str1, (sizeof str1) - 1);

	sqlend += (sizeof str1) - 1;

	*sqlend++ = '\'';

	sqlend = ut_strcpyq(sqlend, '\'', foreign->id);

	*sqlend++ = '\'', *sqlend++ = ',', *sqlend++ = '\'';

	sqlend = ut_strcpyq(sqlend, '\'', table->name);

	*sqlend++ = '\'', *sqlend++ = ',', *sqlend++ = '\'';

	sqlend = ut_strcpyq(sqlend, '\'', foreign->referenced_table_name);

	*sqlend++ = '\'', *sqlend++ = ',';

	sqlend += sprintf(sqlend, "%010lu",

			foreign->n_fields + (foreign->type << 24));

	memcpy(sqlend, str2, (sizeof str2) - 1);

	sqlend += (sizeof str2) - 1;

	for (i = 0; i < foreign->n_fields; i++) {

		ut_a(len < (sizeof buf)

			- 51 - 2 * MAX_COLUMN_NAME_LEN

			- MAX_IDENTIFIER_LEN - 20);

		len += sprintf(buf + len,

	"INSERT INTO SYS_FOREIGN_COLS VALUES('%s', %lu, '%s', '%s');\n",

					foreign->id,

					i,

					foreign->foreign_col_names[i],

		/* INSERT INTO SYS_FOREIGN_COLS VALUES(...); */

		memcpy(sqlend, str3, (sizeof str3) - 1);

		sqlend += (sizeof str3) - 1;

		*sqlend++ = '\'';

		sqlend = ut_strcpyq(sqlend, '\'', foreign->id);

		*sqlend++ = '\''; *sqlend++ = ',';

		sqlend += sprintf(sqlend, "%010lu", i);

		*sqlend++ = ','; *sqlend++ = '\'';

		sqlend = ut_strcpyq(sqlend, '\'',

			foreign->foreign_col_names[i]);

		*sqlend++ = '\''; *sqlend++ = ','; *sqlend++ = '\'';

		sqlend = ut_strcpyq(sqlend, '\'',

			foreign->referenced_col_names[i]);

		*sqlend++ = '\'';

		memcpy(sqlend, str2, (sizeof str2) - 1);

		sqlend += (sizeof str2) - 1;

	}

	ut_a(len < (sizeof buf) - 19);

	len += sprintf(buf + len,"COMMIT WORK;\nEND;\n");

	memcpy(sqlend, str4, sizeof str4);

	sqlend += sizeof str4;

	graph = pars_sql(buf);

	ut_a(sqlend == sql + len + 1);

	graph = pars_sql(sql);

	ut_a(graph);

	mem_free(sql);

	graph->trx = trx;

	trx->graph = NULL;

	rec_t*		rec;

	byte*		field;

	ulint		len;

	char*		table_name;

	mtr_t		mtr;

#ifdef UNIV_SYNC_DEBUG

		/* We found one */

		table_name = mem_alloc(len + 1);

		ut_memcpy(table_name, field, len);

		table_name[len] = '\0';

		char*	table_name = mem_strdupl(field, len);

		btr_pcur_close(&pcur);

		mtr_commit(&mtr);

	rec_t*		rec;

	byte*		field;

	ulint		len;

	char		table_name[10000];

	mtr_t		mtr;

	mutex_enter(&(dict_sys->mutex));

		/* We found one */

		ut_memcpy(table_name, field, len);

		table_name[len] = '\0';

		char*	table_name = mem_strdupl(field, len);

		btr_pcur_store_position(&pcur, &mtr);

		mtr_commit(&mtr);

		table = dict_table_get_low(table_name);

		mem_free(table_name);

		if (table == NULL) {

			fprintf(stderr, "InnoDB: Failed to load table %s\n",

	byte*		field;

	ulint		len;

	byte*		buf;

	char*		name_buf;

	char*		name;

	ulint		mtype;

	ulint		prtype;

			dict_table_get_first_index(sys_columns), 4))->name));

		field = rec_get_nth_field(rec, 4, &len);

		name_buf = mem_heap_alloc(heap, len + 1);

		ut_memcpy(name_buf, field, len);

		name_buf[len] = '\0';

		name = name_buf;

		name = mem_heap_strdupl(heap, field, len);

		field = rec_get_nth_field(rec, 5, &len);

		mtype = mach_read_from_4(field);

	btr_pcur_t	pcur;

	dtuple_t*	tuple;

	dfield_t*	dfield;

	char*		col_name;

	ulint		pos_and_prefix_len;

	ulint		prefix_len;

	rec_t*		rec;

		field = rec_get_nth_field(rec, 4, &len);

		col_name = mem_heap_alloc(heap, len + 1);

		ut_memcpy(col_name, field, len);

		col_name[len] = '\0';

		dict_mem_index_add_field(index, col_name, 0, prefix_len);

		dict_mem_index_add_field(index,

			mem_heap_strdupl(heap, field, len), 0, prefix_len);

		btr_pcur_move_to_next_user_rec(&pcur, &mtr);

	} 

			dict_table_get_first_index(sys_indexes), 4))->name));

		field = rec_get_nth_field(rec, 4, &name_len);

		name_buf = mem_heap_alloc(heap, name_len + 1);

		ut_memcpy(name_buf, field, name_len);

		name_buf[name_len] = '\0';

		name_buf = mem_heap_strdupl(heap, field, name_len);

		field = rec_get_nth_field(rec, 5, &len);

		n_fields = mach_read_from_4(field);

		if (is_sys_table

		    && ((type & DICT_CLUSTERED)

		        || ((table == dict_sys->sys_tables)

		            && (name_len == ut_strlen("ID_IND"))

		            && (name_len == (sizeof "ID_IND") - 1)

			    && (0 == ut_memcmp(name_buf, (char*)"ID_IND",

							name_len))))) {

	rec_t*		rec;

	byte*		field;

	ulint		len;

	char*		buf;

	ulint		space;

	ulint		n_cols;

	ulint		err;

	if (table->type == DICT_TABLE_CLUSTER_MEMBER) {

		ut_error;

#if 0 /* clustered tables have not been implemented yet */

		field = rec_get_nth_field(rec, 6, &len);

		table->mix_id = mach_read_from_8(field);

		field = rec_get_nth_field(rec, 8, &len);

		buf = mem_heap_alloc(heap, len);

		ut_memcpy(buf, field, len);

		table->cluster_name = buf;

		table->cluster_name = mem_heap_strdupl(heap, field, len);

#endif

	}

	if ((table->type == DICT_TABLE_CLUSTER)

	byte*		field;

	ulint		len;	

	dict_table_t*	table;

	char*		name;

	mtr_t		mtr;

#ifdef UNIV_SYNC_DEBUG

	/* Now we get the table name from the record */

	field = rec_get_nth_field(rec, 1, &len);

	name = mem_heap_alloc(heap, len + 1);

	ut_memcpy(name, field, len);

	name[len] = '\0';

	/* Load the table definition to memory */

	table = dict_load_table(name);

	table = dict_load_table(mem_heap_strdupl(heap, field, len));

	btr_pcur_close(&pcur);

	mtr_commit(&mtr);

	btr_pcur_t	pcur;

	dtuple_t*	tuple;

	dfield_t*	dfield;

	char*		col_name;

	rec_t*		rec;

	byte*		field;

	ulint		len;

		ut_a(i == mach_read_from_4(field));

		field = rec_get_nth_field(rec, 4, &len);

		col_name = mem_heap_alloc(foreign->heap, len + 1);

		ut_memcpy(col_name, field, len);

		col_name[len] = '\0';

		foreign->foreign_col_names[i] = col_name;

		foreign->foreign_col_names[i] =

			mem_heap_strdupl(foreign->heap, field, len);

		field = rec_get_nth_field(rec, 5, &len);

		col_name = mem_heap_alloc(foreign->heap, len + 1);

		ut_memcpy(col_name, field, len);

		col_name[len] = '\0';

		foreign->referenced_col_names[i] = col_name;

		foreign->referenced_col_names[i] =

			mem_heap_strdupl(foreign->heap, field, len);

		btr_pcur_move_to_next_user_rec(&pcur, &mtr);

	} 

	foreign->type = foreign->n_fields >> 24;

	foreign->n_fields = foreign->n_fields & 0xFFFFFF;

	foreign->id = mem_heap_alloc(foreign->heap, ut_strlen(id) + 1);

	ut_memcpy(foreign->id, id, ut_strlen(id) + 1);

	foreign->id = mem_heap_strdup(foreign->heap, id);

	field = rec_get_nth_field(rec, 3, &len);

	foreign->foreign_table_name = mem_heap_alloc(foreign->heap, 1 + len);

	ut_memcpy(foreign->foreign_table_name, field, len);

	foreign->foreign_table_name[len] = '\0';	

	foreign->foreign_table_name =

		mem_heap_strdupl(foreign->heap, field, len);

	field = rec_get_nth_field(rec, 4, &len);

	foreign->referenced_table_name = mem_heap_alloc(foreign->heap,

								1 + len);

	ut_memcpy(foreign->referenced_table_name, field, len);

	foreign->referenced_table_name[len] = '\0';	

	foreign->referenced_table_name =

		mem_heap_strdupl(foreign->heap, field, len);

	btr_pcur_close(&pcur);

	mtr_commit(&mtr);

	/* Now we get a foreign key constraint id */

	field = rec_get_nth_field(rec, 1, &len);

	id = mem_heap_alloc(heap, len + 1);

	ut_memcpy(id, field, len);

	id[len] = '\0';

	id = mem_heap_strdupl(heap, field, len);

	btr_pcur_store_position(&pcur, &mtr);

	table->heap = heap;

	str = mem_heap_alloc(heap, 1 + ut_strlen(name));

	ut_strcpy(str, name);

	str = mem_heap_strdup(heap, name);

	table->type = DICT_TABLE_ORDINARY;

	table->name = str;

	ulint		len,	/* in: length */

	ulint		prec)	/* in: precision */

{

	char*		str;

	dict_col_t*	col;

	dtype_t*	type;

	col = dict_table_get_nth_col(table, table->n_def - 1);	

	str = mem_heap_alloc(table->heap, 1 + ut_strlen(name));

	ut_strcpy(str, name);

	col->ind = table->n_def - 1;

	col->name = str;

	col->name = mem_heap_strdup(table->heap, name);

	col->table = table;

	col->ord_part = 0;

	ulint	type,		/* in: DICT_UNIQUE, DICT_CLUSTERED, ... ORed */

	ulint	n_fields)	/* in: number of fields */

{

	char*		str;

	dict_index_t*	index;

	mem_heap_t*	heap;

	index->heap = heap;

	str = mem_heap_alloc(heap, 1 + ut_strlen(index_name));

	ut_strcpy(str, index_name);

	index->type = type;

	index->space = space;

	index->name = str;

	index->name = mem_heap_strdup(heap, index_name);

	index->table_name = table_name;

	index->table = NULL;

	index->n_def = 0;

{

	que_node_t*	arg1;

	lint		int_val;

	byte*		str1;

	byte*		data;

	int		func;

	} else if (func == PARS_TO_CHAR_TOKEN) {

		/* Convert number to character string as a

		signed decimal integer. */

		ulint	uint_val;

		int	int_len;

		int_val = eval_node_get_int_val(arg1);

		data = eval_node_ensure_val_buf(func_node, 11);

		/* Determine the length of the string. */

		if (int_val == 0) {

			int_len = 1; /* the number 0 occupies 1 byte */

		} else {

			int_len = 0;

			if (int_val < 0) {

				uint_val = ((ulint) -int_val - 1) + 1;

				int_len++; /* reserve space for minus sign */

			} else {

				uint_val = (ulint) int_val;

			}

			for (; uint_val > 0; int_len++) {

				uint_val /= 10;

			}

		}

		/* allocate the string */

		data = eval_node_ensure_val_buf(func_node, int_len + 1);

		sprintf((char*)data, "%10li", int_val);

		/* add terminating NUL character */

		data[int_len] = 0;

		dfield_set_len(que_node_get_val(func_node), 10);

		/* convert the number */