diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2019-10-19 09:32:11 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2019-10-19 11:48:38 +0200 |
| commit | 719ac0ad4af0dd1e20dbc94eff8f8c9f786b3393 (patch) | |
| tree | 3d24a565f176fac100a0b4694c290d050780f186 /mysql-test | |
| parent | 412e3e6917233fe612354622a18b3f9cdf3a350c (diff) | |
| download | mariadb-git-719ac0ad4af0dd1e20dbc94eff8f8c9f786b3393.tar.gz | |
crash in string-to-int conversion
using a specially crafted strings one could overflow `shift`
variable and cause a crash by dereferencing d10[-2147483648]
(on a sufficiently old gcc).
This is a correct fix and a test case for
Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST
Diffstat (limited to 'mysql-test')
| -rw-r--r-- | mysql-test/r/func_math.result | 40 | ||||
| -rw-r--r-- | mysql-test/t/func_math.test | 25 |
2 files changed, 65 insertions, 0 deletions
diff --git a/mysql-test/r/func_math.result b/mysql-test/r/func_math.result index 6edaa2e4d96..7e010297885 100644 --- a/mysql-test/r/func_math.result +++ b/mysql-test/r/func_math.result @@ -829,5 +829,45 @@ t1 CREATE TABLE `t1` ( ) ENGINE=MyISAM DEFAULT CHARSET=latin1 DROP TABLE t1; # +# Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST +# +create table t1(a int); +insert t1 values("1e-214748364"); +Warnings: +Warning 1265 Data truncated for column 'a' at row 1 +insert t1 values("1e-2147483648"); +Warnings: +Warning 1265 Data truncated for column 'a' at row 1 +insert t1 values("1e-21474836480"); +Warnings: +Warning 1265 Data truncated for column 'a' at row 1 +insert t1 values("1e+214748364"); +Warnings: +Warning 1264 Out of range value for column 'a' at row 1 +insert t1 values("1e+2147483647"); +Warnings: +Warning 1264 Out of range value for column 'a' at row 1 +insert t1 values("1e+21474836470"); +Warnings: +Warning 1264 Out of range value for column 'a' at row 1 +set global max_allowed_packet= cast(2*1024*1024*1024+1024 as unsigned); +Warnings: +Warning 1292 Truncated incorrect max_allowed_packet value: '2147484672' +set @a=2147483647; +insert t1 values (concat('1', repeat('0', @a+18), 'e-', @a-1, '0')); +Warnings: +Warning 1301 Result of repeat() was larger than max_allowed_packet (1073741824) - truncated +set global max_allowed_packet=default; +select * from t1; +a +0 +0 +0 +2147483647 +2147483647 +2147483647 +NULL +drop table t1; +# # End of 5.5 tests # diff --git a/mysql-test/t/func_math.test b/mysql-test/t/func_math.test index 1b5fa519c09..aca81e96de1 100644 --- a/mysql-test/t/func_math.test +++ b/mysql-test/t/func_math.test @@ -615,5 +615,30 @@ DROP TABLE t1; --echo # +--echo # Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST +--echo # + +create table t1(a int); +insert t1 values("1e-214748364"); +insert t1 values("1e-2147483648"); +insert t1 values("1e-21474836480"); +insert t1 values("1e+214748364"); +insert t1 values("1e+2147483647"); +insert t1 values("1e+21474836470"); + +# if max max_allowed_packet will ever be increased beyond 2GB, this could +# break again: +set global max_allowed_packet= cast(2*1024*1024*1024+1024 as unsigned); +connect foo,localhost,root; +set @a=2147483647; +insert t1 values (concat('1', repeat('0', @a+18), 'e-', @a-1, '0')); +disconnect foo; +connection default; +set global max_allowed_packet=default; + +select * from t1; +drop table t1; + +--echo # --echo # End of 5.5 tests --echo # |