Fixed bug #31019: the MOD() function and the % operator crash the server

when a divisor is less than 1 and its fractional part is very long. For example: 1 % .123456789123456789123456789123456789123456789123456789123456789123456789123456789; Stack buffer overflow has been fixed in the do_div_mod function.
author: gshchepa/uchum@gleb.loc <> 2007-10-08 03:48:59 +0500
committer: gshchepa/uchum@gleb.loc <> 2007-10-08 03:48:59 +0500
commit: b8b199af45342d9f08282dcc8f533bf08c4b6562 (patch)
tree: 9ca852e262b3c8f4fa4b9cd92f183fa5aa598ce3 /strings
parent: 0918fe8320398bb3f5f43cc7d762f16d3c01be95 (diff)
download: mariadb-git-b8b199af45342d9f08282dcc8f533bf08c4b6562.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/strings/decimal.c b/strings/decimal.c
index f1f02f3a071..cbea0e340c6 100644
--- a/strings/decimal.c
+++ b/strings/decimal.c
@@ -2323,11 +2323,12 @@ static int do_div_mod(decimal_t *from1, decimal_t *from2,
     }
     if (unlikely(intg0+frac0 > to->len))
     {
-      stop1-=to->len-frac0-intg0;
+      stop1-=frac0+intg0-to->len;
       frac0=to->len-intg0;
       to->frac=frac0*DIG_PER_DEC1;
         error=E_DEC_TRUNCATED;
     }
+    DBUG_ASSERT(buf0 + (stop1 - start1) <= to->buf + to->len);
     while (start1 < stop1)
         *buf0++=*start1++;
   }
author	gshchepa/uchum@gleb.loc <>	2007-10-08 03:48:59 +0500
committer	gshchepa/uchum@gleb.loc <>	2007-10-08 03:48:59 +0500
commit	b8b199af45342d9f08282dcc8f533bf08c4b6562 (patch)
tree	9ca852e262b3c8f4fa4b9cd92f183fa5aa598ce3 /strings
parent	0918fe8320398bb3f5f43cc7d762f16d3c01be95 (diff)
download	mariadb-git-b8b199af45342d9f08282dcc8f533bf08c4b6562.tar.gz