Commit b1009ddf authored by Monty's avatar Monty

MDEV-25778 Overrun buffer in to_string_native()

Problem was that str->alloc(length) needed a buffer of length+1 as
decimals2string() will add an end null.
parent be84f9ce
...@@ -8,3 +8,12 @@ CHANGE MASTER TO master_user='user',master_password='pwd'; ...@@ -8,3 +8,12 @@ CHANGE MASTER TO master_user='user',master_password='pwd';
ERROR HY000: \042D\0442\0443 \043E\043F\0435\0440\0430\0446\0438\044E \043D\0435\0432\043E\0437\043C\043E\0436\043D\043E \0432\044B\043F\043E\043B\043D\0438\0442\044C \043F\0440\0438 \0440\0430\0431\043E\0442\0430\044E\0449\0435\043C \043F\043E\0442\043E\043A\0435 \043F\043E\0434\0447\0438\043D\0435\043D\043D\043E\0433\043E \0441\0435\0440\0432\0435\0440\0430 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ERROR HY000: \042D\0442\0443 \043E\043F\0435\0440\0430\0446\0438\044E \043D\0435\0432\043E\0437\043C\043E\0436\043D\043E \0432\044B\043F\043E\043B\043D\0438\0442\044C \043F\0440\0438 \0440\0430\0431\043E\0442\0430\044E\0449\0435\043C \043F\043E\0442\043E\043A\0435 \043F\043E\0434\0447\0438\043D\0435\043D\043D\043E\0433\043E \0441\0435\0440\0432\0435\0440\0430 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
STOP SLAVE; STOP SLAVE;
RESET SLAVE ALL; RESET SLAVE ALL;
#
# MDEV-25778 Overrun buffer in to_string_native()
#
CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
INSERT INTO t1 (a) VALUES (0.1),(0.2);
SELECT length(ENCRYPT(a)) AS f, COUNT(*) FROM t1 GROUP BY f;
f COUNT(*)
13 2
DROP TABLE t1;
...@@ -15,3 +15,12 @@ START SLAVE sql_thread; ...@@ -15,3 +15,12 @@ START SLAVE sql_thread;
CHANGE MASTER TO master_user='user',master_password='pwd'; CHANGE MASTER TO master_user='user',master_password='pwd';
STOP SLAVE; STOP SLAVE;
RESET SLAVE ALL; RESET SLAVE ALL;
--echo #
--echo # MDEV-25778 Overrun buffer in to_string_native()
--echo #
CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
INSERT INTO t1 (a) VALUES (0.1),(0.2);
SELECT length(ENCRYPT(a)) AS f, COUNT(*) FROM t1 GROUP BY f;
DROP TABLE t1;
...@@ -115,7 +115,7 @@ int my_decimal::to_string_native(String *str, uint fixed_prec, uint fixed_dec, ...@@ -115,7 +115,7 @@ int my_decimal::to_string_native(String *str, uint fixed_prec, uint fixed_dec,
? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1) ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1)
: my_decimal_string_length(this)); : my_decimal_string_length(this));
int result; int result;
if (str->alloc(length)) if (str->alloc(length+1)) // Alloc also space for \0
return check_result(mask, E_DEC_OOM); return check_result(mask, E_DEC_OOM);
result= decimal2string(this, (char*) str->ptr(), result= decimal2string(this, (char*) str->ptr(),
&length, (int)fixed_prec, fixed_dec, &length, (int)fixed_prec, fixed_dec,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment