summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Black <daniel@mariadb.org>2021-08-18 16:07:15 +1000
committerDaniel Black <daniel@mariadb.org>2021-08-18 20:13:01 +1000
commit0dec71ca53729bd1a565bdc800e64008b44ffa48 (patch)
tree6616b7ab16b8bf16964c1cf60eb0a78cf03e75bf
parentf73eea4984b632c1955211b9ea5b54be9dd56975 (diff)
downloadmariadb-git-0dec71ca53729bd1a565bdc800e64008b44ffa48.tar.gz
MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0
Due to an integer overflow an invalid size of ref_pointer_array could be allocated. Using size_t allows this continue. Allocation failures are handled gracefully if the value is too big. Thanks to Zuming Jiang for the bug report and fuzzing MariaDB. Reviewer: Sanja
-rw-r--r--sql/sql_lex.cc5
1 files changed, 3 insertions, 2 deletions
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index eaaa3139c59..b7ed632ed12 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -2698,7 +2698,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
prepared statement
*/
Query_arena *arena= thd->stmt_arena;
- const uint n_elems= (n_sum_items +
+ const size_t n_elems= (n_sum_items +
n_child_sum_items +
item_list.elements +
select_n_reserved +
@@ -2706,7 +2706,8 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
select_n_where_fields +
order_group_num +
hidden_bit_fields +
- fields_in_window_functions) * 5;
+ fields_in_window_functions) * (size_t) 5;
+ DBUG_ASSERT(n_elems % 5 == 0);
if (!ref_pointer_array.is_null())
{
/*