Bug #44796: valgrind: too many my_longlong10_to_str_8bit

             warnings after uncompressed_length 
 
UNCOMPRESSED_LENGTH() did not validate its argument. In 
particular, if the argument length was less than 4 bytes, 
an uninitialized memory value was returned as a result. 
 
Since the result of COMPRESS() is either an empty string or 
a 4-byte length prefix followed by compressed data, the bug was 
fixed by ensuring that the argument of UNCOMPRESSED_LENGTH() is 
either an empty string or contains at least 5 bytes (as done in 
UNCOMPRESS()). This is the best we can do to validate input 
without decompressing. 

mysql-test/r/func_compress.result:
  Added a test case for bug #44796.
mysql-test/t/func_compress.test:
  Added a test case for bug #44796.
sql/item_strfunc.cc:
  Make sure that the argument of UNCOMPRESSED_LENGTH() contains 
  at least 5 bytes (as done in UNCOMPRESS()).

1 files changed, 15 insertions, 1 deletions

diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index bc2dcb9c61b..4941f427731 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -3108,7 +3108,21 @@ longlong Item_func_uncompressed_length::val_int()
   if (res->is_empty()) return 0;
 
   /*
-    res->ptr() using is safe because we have tested that string is not empty,
+    If length is <= 4 bytes, data is corrupt. This is the best we can do
+    to detect garbage input without decompressing it.
+  */
+  if (res->length() <= 4)
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_ERROR,
+                        ER_ZLIB_Z_DATA_ERROR,
+                        ER(ER_ZLIB_Z_DATA_ERROR));
+    null_value= 1;
+    return 0;
+  }
+
+ /*
+    res->ptr() using is safe because we have tested that string is at least
+    5 bytes long.
     res->c_ptr() is not used because:
       - we do not need \0 terminated string to get first 4 bytes
       - c_ptr() tests simbol after string end (uninitialiozed memory) which