diff options
| author | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-02-10 15:38:56 +0300 |
|---|---|---|
| committer | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-02-10 15:38:56 +0300 |
| commit | fd8bf58ca972ef3f521aec03c0bd09fa3ec78335 (patch) | |
| tree | 219e44d3eb4674aaed2609c0cd29e52250017df7 /sql/sql_string.cc | |
| parent | ecfdc3560c1e20c673337420761fa11c084ed2d8 (diff) | |
| download | mariadb-git-fd8bf58ca972ef3f521aec03c0bd09fa3ec78335.tar.gz | |
Fix for bug #41868: crash or memory overrun with concat + upper,
date_format functions
String::realloc() did not check whether the existing string data fits in
the newly allocated buffer for cases when reallocating a String object
with external buffer (i.e.alloced == FALSE). This could lead to memory
overruns in some cases.
client/sql_string.cc:
Fixed String::realloc() to check whether the existing string data fits
in the newly allocated buffer for cases when reallocating a String
object with external buffer.
mysql-test/r/func_str.result:
Added a test case for bug #41868.
mysql-test/t/func_str.test:
Added a test case for bug #41868.
sql/sql_class.cc:
After each call to Item::send() in select_send::send_data() reset
buffer to its original state to reduce unnecessary malloc() calls. See
comments for bug #41868 for detailed analysis.
sql/sql_string.cc:
Fixed String::realloc() to check whether the existing string data fits
in the newly allocated buffer for cases when reallocating a String
object with external buffer.
Diffstat (limited to 'sql/sql_string.cc')
| -rw-r--r-- | sql/sql_string.cc | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/sql/sql_string.cc b/sql/sql_string.cc index 75e47dd0c8e..ed1dc9eac77 100644 --- a/sql/sql_string.cc +++ b/sql/sql_string.cc @@ -71,25 +71,22 @@ bool String::realloc(uint32 alloc_length) char *new_ptr; if (alloced) { - if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME)))) - { - Ptr=new_ptr; - Alloced_length=len; - } - else - return TRUE; // Signal error + if (!(new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME)))) + return TRUE; // Signal error } else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME)))) { + if (str_length > len - 1) + str_length= 0; if (str_length) // Avoid bugs in memcpy on AIX memcpy(new_ptr,Ptr,str_length); new_ptr[str_length]=0; - Ptr=new_ptr; - Alloced_length=len; alloced=1; } else return TRUE; // Signal error + Ptr= new_ptr; + Alloced_length= len; } Ptr[alloc_length]=0; // This make other funcs shorter return FALSE; |