diff options
| author | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-02-03 20:19:01 +0300 |
|---|---|---|
| committer | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-02-03 20:19:01 +0300 |
| commit | dfbba6e7fda2286a2c021a025fa82926551e01f9 (patch) | |
| tree | f878e9c7f35c92af0cfcc10bdffa8aa396ba5df8 /sql | |
| parent | ecfdc3560c1e20c673337420761fa11c084ed2d8 (diff) | |
| download | mariadb-git-dfbba6e7fda2286a2c021a025fa82926551e01f9.tar.gz | |
Fix for bug #41868: crash or memory overrun with concat + upper, date_format
functions
String::realloc() did not check whether the existing string data fits in the newly
allocated buffer for cases when reallocating a String object with external buffer
(i.e.alloced == FALSE). This could lead to memory overruns in some cases.
mysql-test/r/func_str.result:
Added a test case for bug #41868.
mysql-test/t/func_str.test:
Added a test case for bug #41868.
sql/sql_class.cc:
After each call to Item::send() in select_send::send_data() reset buffer to its
original state to reduce unnecessary malloc() calls. See comments for bug #41868
for detailed analysis.
sql/sql_string.cc:
Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer.
Diffstat (limited to 'sql')
| -rw-r--r-- | sql/sql_class.cc | 5 | ||||
| -rw-r--r-- | sql/sql_string.cc | 20 |
2 files changed, 15 insertions, 10 deletions
diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 91c0aa66761..9ff602bb62e 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -1047,6 +1047,11 @@ bool select_send::send_data(List<Item> &items) my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0)); break; } + /* + Reset buffer to its original state, as it may have been altered in + Item::send(). + */ + buffer.set(buff, sizeof(buff), &my_charset_bin); } thd->sent_row_count++; if (!thd->vio_ok()) diff --git a/sql/sql_string.cc b/sql/sql_string.cc index 75e47dd0c8e..b6ce4d8dc8d 100644 --- a/sql/sql_string.cc +++ b/sql/sql_string.cc @@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length) if (alloced) { if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME)))) - { - Ptr=new_ptr; - Alloced_length=len; - } + new_ptr[alloc_length]= 0; else - return TRUE; // Signal error + return TRUE; // Signal error } else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME)))) { + if (str_length > len - 1) + str_length= 0; if (str_length) // Avoid bugs in memcpy on AIX - memcpy(new_ptr,Ptr,str_length); - new_ptr[str_length]=0; - Ptr=new_ptr; - Alloced_length=len; + memcpy(new_ptr, Ptr, str_length); + new_ptr[str_length]= 0; alloced=1; } else return TRUE; // Signal error + Ptr= new_ptr; + Alloced_length= len; } - Ptr[alloc_length]=0; // This make other funcs shorter + else + Ptr[alloc_length]= 0; return FALSE; } |