diff options
| author | unknown <gkodinov/kgeorge@magare.gmz[kgeorge]> | 2007-03-26 12:32:51 +0300 |
|---|---|---|
| committer | unknown <gkodinov/kgeorge@magare.gmz[kgeorge]> | 2007-03-26 12:32:51 +0300 |
| commit | 9e6a59598c2ebfde37b843e23cf16d77c6c69392 (patch) | |
| tree | 6db39b6b491b4cb79b3ee24fb43c2b4e94e9e2e1 /sql/item.h | |
| parent | c242662096e1ce16b249c478702be54c190d3f5e (diff) | |
| download | mariadb-git-9e6a59598c2ebfde37b843e23cf16d77c6c69392.tar.gz | |
Bug #26303: Reserve is not called before qs_append().
This may lead to buffer overflow.
The String::qs_append() function will append a string
without checking if there's enough space.
So qs_append() must be called beforehand to ensure
there's enough space in the buffer for the subsequent
qs_append() calls.
Fixed Item_case_expr::print() to make sure there's
enough space before appending data by adding a call to
String::reserve() to make sure qs_append() will have
enough space.
mysql-test/r/sp-code.result:
Bug #26303: test case
mysql-test/t/sp-code.test:
Bug #26303: test case
sql/item.cc:
Bug #26303: added a call to String::reserve() to
make sure qs_append will have enough space
sql/item.h:
Bug #26303: m_case_expr_id made unsigned
because it's offset in an array.
Diffstat (limited to 'sql/item.h')
| -rw-r--r-- | sql/item.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sql/item.h b/sql/item.h index 955f9c8489a..2cffe985480 100644 --- a/sql/item.h +++ b/sql/item.h @@ -1116,7 +1116,7 @@ inline Item_result Item_splocal::result_type() const class Item_case_expr :public Item_sp_variable { public: - Item_case_expr(int case_expr_id); + Item_case_expr(uint case_expr_id); public: Item *this_item(); @@ -1135,7 +1135,7 @@ public: void print(String *str); private: - int m_case_expr_id; + uint m_case_expr_id; }; /***************************************************************************** |