summaryrefslogtreecommitdiff
path: root/sql/sql_string.cc
diff options
context:
space:
mode:
authorTor Didriksen <tor.didriksen@oracle.com>2011-07-15 14:07:38 +0200
committerTor Didriksen <tor.didriksen@oracle.com>2011-07-15 14:07:38 +0200
commitcfcd49b467dc5de004310db1ff0810842ea3bb56 (patch)
tree5f91199b06f3efec177a65cf2102fda39e2b97c5 /sql/sql_string.cc
parent8e90c61923c72bc316e450b512089b65a5b53504 (diff)
downloadmariadb-git-cfcd49b467dc5de004310db1ff0810842ea3bb56.tar.gz
Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL
The buffer was simply too small. In 5.5 and trunk, the size is 311 + 31, in 5.1 and below, the size is 331 client/sql_string.cc: Increase buffer size in String::set(double, ...) include/m_string.h: Increase FLOATING_POINT_BUFFER mysql-test/r/type_float.result: New test cases. mysql-test/t/type_float.test: New test cases. sql/sql_string.cc: Increase buffer size in String::set(double, ...) sql/unireg.h: Move definition of FLOATING_POINT_BUFFER
Diffstat (limited to 'sql/sql_string.cc')
-rw-r--r--sql/sql_string.cc6
1 files changed, 4 insertions, 2 deletions
diff --git a/sql/sql_string.cc b/sql/sql_string.cc
index 1c9a3cd7fc2..545643de49f 100644
--- a/sql/sql_string.cc
+++ b/sql/sql_string.cc
@@ -117,7 +117,7 @@ bool String::set(ulonglong num, CHARSET_INFO *cs)
bool String::set(double num,uint decimals, CHARSET_INFO *cs)
{
- char buff[331];
+ char buff[FLOATING_POINT_BUFFER];
uint dummy_errors;
str_charset=cs;
@@ -186,7 +186,9 @@ end:
#else
#ifdef HAVE_SNPRINTF
buff[sizeof(buff)-1]=0; // Safety
- snprintf(buff,sizeof(buff)-1, "%.*f",(int) decimals,num);
+ int num_chars= snprintf(buff, sizeof(buff)-1, "%.*f",(int) decimals, num);
+ DBUG_ASSERT(num_chars > 0);
+ DBUG_ASSERT(num_chars < (int) sizeof(buff));
#else
sprintf(buff,"%.*f",(int) decimals,num);
#endif
View Lorry Controller Status