diff options
| author | unknown <gkodinov/kgeorge@magare.gmz[kgeorge]> | 2007-03-26 12:32:51 +0300 |
|---|---|---|
| committer | unknown <gkodinov/kgeorge@magare.gmz[kgeorge]> | 2007-03-26 12:32:51 +0300 |
| commit | 9e6a59598c2ebfde37b843e23cf16d77c6c69392 (patch) | |
| tree | 6db39b6b491b4cb79b3ee24fb43c2b4e94e9e2e1 /mysql-test/r/sp-code.result | |
| parent | c242662096e1ce16b249c478702be54c190d3f5e (diff) | |
| download | mariadb-git-9e6a59598c2ebfde37b843e23cf16d77c6c69392.tar.gz | |
Bug #26303: Reserve is not called before qs_append().
This may lead to buffer overflow.
The String::qs_append() function will append a string
without checking if there's enough space.
So qs_append() must be called beforehand to ensure
there's enough space in the buffer for the subsequent
qs_append() calls.
Fixed Item_case_expr::print() to make sure there's
enough space before appending data by adding a call to
String::reserve() to make sure qs_append() will have
enough space.
mysql-test/r/sp-code.result:
Bug #26303: test case
mysql-test/t/sp-code.test:
Bug #26303: test case
sql/item.cc:
Bug #26303: added a call to String::reserve() to
make sure qs_append will have enough space
sql/item.h:
Bug #26303: m_case_expr_id made unsigned
because it's offset in an array.
Diffstat (limited to 'mysql-test/r/sp-code.result')
| -rw-r--r-- | mysql-test/r/sp-code.result | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/mysql-test/r/sp-code.result b/mysql-test/r/sp-code.result index 67b030f87a4..588f4329368 100644 --- a/mysql-test/r/sp-code.result +++ b/mysql-test/r/sp-code.result @@ -621,3 +621,20 @@ Pos Instruction 0 stmt 2 "CREATE INDEX idx ON t1 (c1)" DROP PROCEDURE p1; End of 5.0 tests. +CREATE PROCEDURE p1() +BEGIN +DECLARE dummy int default 0; +CASE 12 +WHEN 12 +THEN SET dummy = 0; +END CASE; +END// +SHOW PROCEDURE CODE p1; +Pos Instruction +0 set dummy@0 0 +1 set_case_expr (6) 0 12 +2 jump_if_not 5(6) (case_expr@0 = 12) +3 set dummy@0 0 +4 jump 6 +5 error 1339 +DROP PROCEDURE p1; |