Bug#6608: MySQL server crash in some query with tis620 character set.

The bug was that the function allocates 'a', then changes the value of 'a' with the operator ++, and then tries to free 'a'!
author: unknown <bar@mysql.com> 2004-11-15 21:26:16 +0400
committer: unknown <bar@mysql.com> 2004-11-15 21:26:16 +0400
commit: b478635110d05f644c7fcca476f5cfc6c9ba1e40 (patch)
tree: 7715553be9e8d8fddc20b35831c60ed23192fc0f /strings
parent: 58f984add28bba67add38efb0c19d67a154b47ea (diff)
download: mariadb-git-b478635110d05f644c7fcca476f5cfc6c9ba1e40.tar.gz
1 files changed, 3 insertions, 7 deletions
diff --git a/strings/ctype-tis620.c b/strings/ctype-tis620.c
index a2ba4783591..68bfefafe6a 100644
--- a/strings/ctype-tis620.c
+++ b/strings/ctype-tis620.c
@@ -562,17 +562,13 @@ int my_strnncollsp_tis620(CHARSET_INFO * cs __attribute__((unused)),
 			  const uchar *b0, uint b_length)
 {
   uchar	buf[80] ;
-  uchar *end, *a, *b;
+  uchar *end, *a, *b, *alloced= NULL;
   uint length;
   int res= 0;
-  int alloced= 0;
   
   a= buf;
   if ((a_length + b_length +2) > (int) sizeof(buf))
-  {
-    a= (uchar*) malloc(a_length+b_length);
-    alloced= 1;
-  }
+    alloced= a= (uchar*) malloc(a_length+b_length);
   
   b= a + a_length+1;
   memcpy((char*) a, (char*) a0, a_length);
@@ -618,7 +614,7 @@ int my_strnncollsp_tis620(CHARSET_INFO * cs __attribute__((unused)),
 ret:
   
   if (alloced)
-    free(a);
+    free(alloced);
   return res;
 }
author	unknown <bar@mysql.com>	2004-11-15 21:26:16 +0400
committer	unknown <bar@mysql.com>	2004-11-15 21:26:16 +0400
commit	b478635110d05f644c7fcca476f5cfc6c9ba1e40 (patch)
tree	7715553be9e8d8fddc20b35831c60ed23192fc0f /strings
parent	58f984add28bba67add38efb0c19d67a154b47ea (diff)
download	mariadb-git-b478635110d05f644c7fcca476f5cfc6c9ba1e40.tar.gz