Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY

mysql-test/r/func_str.result:
  New test cases.
mysql-test/t/func_str.test:
  New test cases.
strings/dtoa.c:
  Increasing the buffer size slightly made some queries pass without leaks.
  Adding Bfree(p51, alloc) fixed the remaining leaks.

3 files changed, 59 insertions, 2 deletions

diff --git a/mysql-test/r/func_str.result b/mysql-test/r/func_str.result
index 81fe2413725..755763e6994 100644
--- a/mysql-test/r/func_str.result
+++ b/mysql-test/r/func_str.result
@@ -2785,5 +2785,40 @@ format(123,2,'no_NO')
 123,00
 DROP TABLE t1;
 #
+# Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY
+#
+SELECT (rpad(1.0,2048,1)) IS NOT FALSE;
+(rpad(1.0,2048,1)) IS NOT FALSE
+1
+SELECT ((+0) IN
+((0b111111111111111111111111111111111111111111111111111),(rpad(1.0,2048,1)),
+(32767.1)));
+((+0) IN
+((0b111111111111111111111111111111111111111111111111111),(rpad(1.0,2048,1)),
+(32767.1)))
+0
+SELECT ((rpad(1.0,2048,1)) = ('4(') ^ (0.1));
+((rpad(1.0,2048,1)) = ('4(') ^ (0.1))
+0
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: '4('
+SELECT
+pow((rpad(1.0,2048,1)),(b'1111111111111111111111111111111111111111111'));
+ERROR 22003: DOUBLE value is out of range in 'pow(rpad(1.0,2048,1),0x07ffffffffff)'
+SELECT ((rpad(1.0,2048,1)) + (0) ^ ('../'));
+((rpad(1.0,2048,1)) + (0) ^ ('../'))
+1.011111111111111
+Warnings:
+Warning	1292	Truncated incorrect INTEGER value: '../'
+SELECT stddev_samp(rpad(1.0,2048,1));
+stddev_samp(rpad(1.0,2048,1))
+NULL
+SELECT ((127.1) not in ((rpad(1.0,2048,1)),(''),(-1.1)));
+((127.1) not in ((rpad(1.0,2048,1)),(''),(-1.1)))
+1
+SELECT ((0xf3) * (rpad(1.0,2048,1)) << (0xcc));
+((0xf3) * (rpad(1.0,2048,1)) << (0xcc))
+0
+#
 # End of 5.5 tests
 #
diff --git a/mysql-test/t/func_str.test b/mysql-test/t/func_str.test
index 9a9a8110a74..2a14648d6f6 100644
--- a/mysql-test/t/func_str.test
+++ b/mysql-test/t/func_str.test
@@ -1437,5 +1437,24 @@ SELECT * FROM t1;
 DROP TABLE t1;
 
 --echo #
+--echo # Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY
+--echo #
+
+SELECT (rpad(1.0,2048,1)) IS NOT FALSE;
+SELECT ((+0) IN
+((0b111111111111111111111111111111111111111111111111111),(rpad(1.0,2048,1)),
+(32767.1)));
+SELECT ((rpad(1.0,2048,1)) = ('4(') ^ (0.1));
+
+--error 1690
+SELECT
+pow((rpad(1.0,2048,1)),(b'1111111111111111111111111111111111111111111'));
+SELECT ((rpad(1.0,2048,1)) + (0) ^ ('../'));
+SELECT stddev_samp(rpad(1.0,2048,1));
+SELECT ((127.1) not in ((rpad(1.0,2048,1)),(''),(-1.1)));
+SELECT ((0xf3) * (rpad(1.0,2048,1)) << (0xcc));
+
+
+--echo #
 --echo # End of 5.5 tests
 --echo #
diff --git a/strings/dtoa.c b/strings/dtoa.c
index e4eb10bb6f8..05c9bb6e529 100644
--- a/strings/dtoa.c
+++ b/strings/dtoa.c
@@ -46,7 +46,7 @@
      see if it is possible to get rid of malloc().
      this constant is sufficient to avoid malloc() on all inputs I have tried.
 */
-#define DTOA_BUFF_SIZE (420 * sizeof(void *))
+#define DTOA_BUFF_SIZE (460 * sizeof(void *))
 
 /* Magic value returned by dtoa() to indicate overflow */
 #define DTOA_OVERFLOW 9999
@@ -659,6 +659,7 @@ typedef struct Stack_alloc
 static Bigint *Balloc(int k, Stack_alloc *alloc)
 {
   Bigint *rv;
+  DBUG_ASSERT(k <= Kmax);
   if (k <= Kmax &&  alloc->freelist[k])
   {
     rv= alloc->freelist[k];
@@ -1005,7 +1006,7 @@ static Bigint p5_a[]=
 
 static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
 {
-  Bigint *b1, *p5, *p51;
+  Bigint *b1, *p5, *p51=NULL;
   int i;
   static int p05[3]= { 5, 25, 125 };
 
@@ -1037,6 +1038,8 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
       p5= p51;
     }
   }
+  if (p51)
+    Bfree(p51, alloc);
   return b;
 }