diff options
| author | Alexander Barkov <bar@mariadb.com> | 2019-03-14 10:05:38 +0400 |
|---|---|---|
| committer | Alexander Barkov <bar@mariadb.com> | 2019-03-14 10:05:38 +0400 |
| commit | cb66cdc6f80a32b9ea363f8d59ccb665730a4464 (patch) | |
| tree | 542bc5190793c27d3331fa918bf22507813e9f02 /sql/item_timefunc.cc | |
| parent | d7a38eaf1a3b3138a77156a64fba7f90a5dc6257 (diff) | |
| download | mariadb-git-cb66cdc6f80a32b9ea363f8d59ccb665730a4464.tar.gz | |
MDEV-14926 AddressSanitizer: heap-use-after-free in make_date_time on weird combination of functions
Diffstat (limited to 'sql/item_timefunc.cc')
| -rw-r--r-- | sql/item_timefunc.cc | 16 |
1 files changed, 6 insertions, 10 deletions
diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc index 83949f2502e..c10b6442ce8 100644 --- a/sql/item_timefunc.cc +++ b/sql/item_timefunc.cc @@ -455,7 +455,7 @@ err: Create a formated date/time value in a string. */ -static bool make_date_time(DATE_TIME_FORMAT *format, MYSQL_TIME *l_time, +static bool make_date_time(const LEX_CSTRING &format, MYSQL_TIME *l_time, timestamp_type type, MY_LOCALE *locale, String *str) { char intbuff[15]; @@ -469,7 +469,7 @@ static bool make_date_time(DATE_TIME_FORMAT *format, MYSQL_TIME *l_time, if (l_time->neg) str->append('-'); - end= (ptr= format->format.str) + format->format.length; + end= (ptr= format.str) + format.length; for (; ptr != end ; ptr++) { if (*ptr != '%' || ptr+1 == end) @@ -1949,6 +1949,7 @@ uint Item_func_date_format::format_length(const String *format) String *Item_func_date_format::val_str(String *str) { + StringBuffer<64> format_buffer; String *format; MYSQL_TIME l_time; uint size; @@ -1958,7 +1959,7 @@ String *Item_func_date_format::val_str(String *str) if (get_arg0_date(&l_time, is_time_flag)) return 0; - if (!(format = args[1]->val_str(str)) || !format->length()) + if (!(format= args[1]->val_str(&format_buffer)) || !format->length()) goto null_date; if (fixed_length) @@ -1969,18 +1970,13 @@ String *Item_func_date_format::val_str(String *str) if (size < MAX_DATE_STRING_REP_LENGTH) size= MAX_DATE_STRING_REP_LENGTH; - if (format == str) - str= &value; // Save result here + DBUG_ASSERT(format != str); if (str->alloc(size)) goto null_date; - DATE_TIME_FORMAT date_time_format; - date_time_format.format.str= (char*) format->ptr(); - date_time_format.format.length= format->length(); - /* Create the result string */ str->set_charset(collation.collation); - if (!make_date_time(&date_time_format, &l_time, + if (!make_date_time(format->lex_cstring(), &l_time, is_time_format ? MYSQL_TIMESTAMP_TIME : MYSQL_TIMESTAMP_DATE, locale, str)) |