diff options
| author | Tatiana A. Nurnberg <azundris@mysql.com> | 2010-11-11 09:46:49 +0000 |
|---|---|---|
| committer | Tatiana A. Nurnberg <azundris@mysql.com> | 2010-11-11 09:46:49 +0000 |
| commit | ccbc24b45a79b6407487550fa19b40752d22fa7f (patch) | |
| tree | 37756177474cec058aad2e54b7fe51395c380c84 /sql/my_decimal.cc | |
| parent | 58dfba2899474553592479be24ef73947775eeaf (diff) | |
| download | mariadb-git-ccbc24b45a79b6407487550fa19b40752d22fa7f.tar.gz | |
Bug#55436: buffer overflow in debug binary of dbug_buff in Field_new_decimal::store_value
There were some misunderstandings about parameters pertaining to buffer-size.
Patches fixes the reported off by one and
clarifies the documentation.
mysql-test/r/type_newdecimal.result:
add test
mysql-test/t/type_newdecimal.test:
add test
sql/field.cc:
adjust buffer size by one to account for terminator.
sql/my_decimal.cc:
adjust buffer size by one to account for terminator.
clarify needs in comments.
sql/my_decimal.h:
clarify buffer-size needs to prevent future off-by-one bugs.
strings/decimal.c:
clarify buffer-size needs and parameters to prevent future off-by-one bugs
Diffstat (limited to 'sql/my_decimal.cc')
| -rw-r--r-- | sql/my_decimal.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/sql/my_decimal.cc b/sql/my_decimal.cc index 3aa01880b83..a38dc341684 100644 --- a/sql/my_decimal.cc +++ b/sql/my_decimal.cc @@ -95,10 +95,11 @@ int my_decimal2string(uint mask, const my_decimal *d, UNSIGNED. Hence the buffer for a ZEROFILLed value is the length the user requested, plus one for a possible decimal point, plus one if the user only wanted decimal places, but we force a leading - zero on them. Because the type is implicitly UNSIGNED, we do not - need to reserve a character for the sign. For all other cases, - fixed_prec will be 0, and my_decimal_string_length() will be called - instead to calculate the required size of the buffer. + zero on them, plus one for the '\0' terminator. Because the type + is implicitly UNSIGNED, we do not need to reserve a character for + the sign. For all other cases, fixed_prec will be 0, and + my_decimal_string_length() will be called instead to calculate the + required size of the buffer. */ int length= (fixed_prec ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1) @@ -275,7 +276,7 @@ print_decimal_buff(const my_decimal *dec, const uchar* ptr, int length) const char *dbug_decimal_as_string(char *buff, const my_decimal *val) { - int length= DECIMAL_MAX_STR_LENGTH; + int length= DECIMAL_MAX_STR_LENGTH + 1; /* minimum size for buff */ if (!val) return "NULL"; (void)decimal2string((decimal_t*) val, buff, &length, 0,0,0); |