Bug#45152 crash with round() function on longtext column in a derived table

The crash happens due to wrong max_length value which is set on Item_func_round::fix_length_and_dec() stage. The value is set to args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields. The fix is to set max_length using float_length() function. mysql-test/r/func_math.result: test result mysql-test/t/func_math.test: test case sql/item_func.cc: The crash happens due to wrong max_length value which is set on Item_func_round::fix_length_and_dec() stage. The value is set to args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields. The fix is to set max_length using float_length() function.

Bug#45152 crash with round() function on longtext column in a derived table
The crash happens due to wrong max_length value which is set on Item_func_round::fix_length_and_dec() stage. The value is set to args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields. The fix is to set max_length using float_length() function. mysql-test/r/func_math.result: test result mysql-test/t/func_math.test: test case sql/item_func.cc: The crash happens due to wrong max_length value which is set on Item_func_round::fix_length_and_dec() stage. The value is set to args[0]->max_length which is too big in case of LONGTEXT(LONGBLOB) fields. The fix is to set max_length using float_length() function.
33734e95 · Sergey Glukhov · 47b334a6 · 33734e95 · 33734e95 · 33734e95
Commit 33734e95 authored Jun 02, 2009 by Sergey Glukhov
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

mysql-test/r/func_math.result mysql-test/r/func_math.result +7 -0

mysql-test/t/func_math.test mysql-test/t/func_math.test +9 -0

sql/item_func.cc sql/item_func.cc +2 -2

No files found.
--- a/mysql-test/r/func_math.result
+++ b/mysql-test/r/func_math.result
@@ -390,4 +390,11 @@ a	ROUND(a)
 -1e+16	-10000000000000002
 1e+16	10000000000000002
 DROP TABLE t1;
+CREATE TABLE t1(f1 LONGTEXT) engine=myisam;
+INSERT INTO t1 VALUES ('a');
+SELECT 1 FROM (SELECT ROUND(f1) AS a FROM t1) AS s WHERE a LIKE 'a';
+1
+SELECT 1 FROM (SELECT ROUND(f1, f1) AS a FROM t1) AS s WHERE a LIKE 'a';
+1
+DROP TABLE t1;
 End of 5.0 tests
--- a/mysql-test/t/func_math.test
+++ b/mysql-test/t/func_math.test
@@ -250,4 +250,13 @@ SELECT a, ROUND(a) FROM t1;

 DROP TABLE t1;

+#
+# Bug#45152 crash with round() function on longtext column in a derived table
+#
+CREATE TABLE t1(f1 LONGTEXT) engine=myisam;
+INSERT INTO t1 VALUES ('a');
+SELECT 1 FROM (SELECT ROUND(f1) AS a FROM t1) AS s WHERE a LIKE 'a';
+SELECT 1 FROM (SELECT ROUND(f1, f1) AS a FROM t1) AS s WHERE a LIKE 'a';
+DROP TABLE t1;
+
 --echo End of 5.0 tests
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -1958,8 +1958,8 @@ void Item_func_round::fix_length_and_dec()
  unsigned_flag= args[0]->unsigned_flag;
  if (!args[1]->const_item())
  {
-    max_length= args[0]->max_length;
    decimals= args[0]->decimals;
+    max_length= float_length(decimals);
    if (args[0]->result_type() == DECIMAL_RESULT)
    {
      max_length++;
@@ -1979,8 +1979,8 @@ void Item_func_round::fix_length_and_dec()

  if (args[0]->decimals == NOT_FIXED_DEC)
  {
-    max_length= args[0]->max_length;
    decimals= min(decimals_to_set, NOT_FIXED_DEC);
+    max_length= float_length(decimals);
    hybrid_type= REAL_RESULT;
    return;
  }