Bug #30587: mysql crashes when trying to group by TIME div NUMBER

When calculating the result length of an integer DIV function the number of decimals was used without checking the result type first. Thus an uninitialized number of decimals was used for some types. This caused an excessive amount of memory to be allocated for the field's buffer and crashed the server. Fixed by using the number of decimals only for data types that can have decimals and thus have valid decimals number.
author: gkodinov/kgeorge@macbook.gmz <> 2007-09-28 16:46:05 +0300
committer: gkodinov/kgeorge@macbook.gmz <> 2007-09-28 16:46:05 +0300
commit: aa2d545de2bc47b7a09d677b9240376ef7dc453b (patch)
tree: e17a84a94ed96a56d4a7125a08e81d41cef2429d /sql/item_func.cc
parent: 56c927e69622f24ddd04b9fcd76c4f02a3bb7674 (diff)
download: mariadb-git-aa2d545de2bc47b7a09d677b9240376ef7dc453b.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sql/item_func.cc b/sql/item_func.cc
index d03d497dfd0..a90cc721ca9 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -1380,7 +1380,11 @@ longlong Item_func_int_div::val_int()
 
 void Item_func_int_div::fix_length_and_dec()
 {
-  max_length=args[0]->max_length - args[0]->decimals;
+  Item_result argtype= args[0]->result_type();
+  /* use precision ony for the data type it is applicable for and valid */
+  max_length=args[0]->max_length -
+    (argtype == DECIMAL_RESULT || argtype == INT_RESULT ?
+     args[0]->decimals : 0);
   maybe_null=1;
   unsigned_flag=args[0]->unsigned_flag | args[1]->unsigned_flag;
 }
author	gkodinov/kgeorge@macbook.gmz <>	2007-09-28 16:46:05 +0300
committer	gkodinov/kgeorge@macbook.gmz <>	2007-09-28 16:46:05 +0300
commit	aa2d545de2bc47b7a09d677b9240376ef7dc453b (patch)
tree	e17a84a94ed96a56d4a7125a08e81d41cef2429d /sql/item_func.cc
parent	56c927e69622f24ddd04b9fcd76c4f02a3bb7674 (diff)
download	mariadb-git-aa2d545de2bc47b7a09d677b9240376ef7dc453b.tar.gz