diff options
author | Daniel Black <daniel@mariadb.org> | 2021-08-18 16:07:15 +1000 |
---|---|---|
committer | Daniel Black <daniel@mariadb.org> | 2021-08-18 20:13:01 +1000 |
commit | 0dec71ca53729bd1a565bdc800e64008b44ffa48 (patch) | |
tree | 6616b7ab16b8bf16964c1cf60eb0a78cf03e75bf | |
parent | f73eea4984b632c1955211b9ea5b54be9dd56975 (diff) | |
download | mariadb-git-0dec71ca53729bd1a565bdc800e64008b44ffa48.tar.gz |
MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0
Due to an integer overflow an invalid size of ref_pointer_array could be
allocated.
Using size_t allows this continue. Allocation failures are
handled gracefully if the value is too big.
Thanks to Zuming Jiang for the bug report and fuzzing MariaDB.
Reviewer: Sanja
-rw-r--r-- | sql/sql_lex.cc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index eaaa3139c59..b7ed632ed12 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -2698,7 +2698,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num) prepared statement */ Query_arena *arena= thd->stmt_arena; - const uint n_elems= (n_sum_items + + const size_t n_elems= (n_sum_items + n_child_sum_items + item_list.elements + select_n_reserved + @@ -2706,7 +2706,8 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num) select_n_where_fields + order_group_num + hidden_bit_fields + - fields_in_window_functions) * 5; + fields_in_window_functions) * (size_t) 5; + DBUG_ASSERT(n_elems % 5 == 0); if (!ref_pointer_array.is_null()) { /* |