Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY

Extra fix: 'if (p5 < p5_a + P5A_MAX)' is not portable. p5 starts out pointing to a static array, then may point to a buffer on the stack, then may point to malloc()ed memory.
author: Tor Didriksen <tor.didriksen@oracle.com> 2011-09-21 13:46:49 +0200
committer: Tor Didriksen <tor.didriksen@oracle.com> 2011-09-21 13:46:49 +0200
commit: f9b064a406a9836cac109c5dcdd9354cbb4303b7 (patch)
tree: 1eade62487542ed0bf86b4d6582d57e8c11f2a71 /strings
parent: d27d267ee73e9d307e80d4bf91aefcf746b502f7 (diff)
download: mariadb-git-f9b064a406a9836cac109c5dcdd9354cbb4303b7.tar.gz
1 files changed, 9 insertions, 5 deletions
diff --git a/strings/dtoa.c b/strings/dtoa.c
index 05c9bb6e529..f7c38b2420d 100644
--- a/strings/dtoa.c
+++ b/strings/dtoa.c
@@ -1009,6 +1009,7 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
   Bigint *b1, *p5, *p51=NULL;
   int i;
   static int p05[3]= { 5, 25, 125 };
+  my_bool overflow= FALSE;
 
   if ((i= k & 3))
     b= multadd(b, p05[i-1], 0, alloc);
@@ -1027,16 +1028,19 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
     if (!(k>>= 1))
       break;
     /* Calculate next power of 5 */
-    if (p5 < p5_a + P5A_MAX)
-      ++p5;
-    else if (p5 == p5_a + P5A_MAX)
-      p5= mult(p5, p5, alloc);
-    else
+    if (overflow)
     {
       p51= mult(p5, p5, alloc);
       Bfree(p5, alloc);
       p5= p51;
     }
+    else if (p5 < p5_a + P5A_MAX)
+      ++p5;
+    else if (p5 == p5_a + P5A_MAX)
+    {
+      p5= mult(p5, p5, alloc);
+      overflow= TRUE;
+    }
   }
   if (p51)
     Bfree(p51, alloc);
author	Tor Didriksen <tor.didriksen@oracle.com>	2011-09-21 13:46:49 +0200
committer	Tor Didriksen <tor.didriksen@oracle.com>	2011-09-21 13:46:49 +0200
commit	f9b064a406a9836cac109c5dcdd9354cbb4303b7 (patch)
tree	1eade62487542ed0bf86b4d6582d57e8c11f2a71 /strings
parent	d27d267ee73e9d307e80d4bf91aefcf746b502f7 (diff)
download	mariadb-git-f9b064a406a9836cac109c5dcdd9354cbb4303b7.tar.gz