diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2019-10-19 09:32:11 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2019-10-19 11:48:38 +0200 |
| commit | 719ac0ad4af0dd1e20dbc94eff8f8c9f786b3393 (patch) | |
| tree | 3d24a565f176fac100a0b4694c290d050780f186 /strings | |
| parent | 412e3e6917233fe612354622a18b3f9cdf3a350c (diff) | |
| download | mariadb-git-719ac0ad4af0dd1e20dbc94eff8f8c9f786b3393.tar.gz | |
crash in string-to-int conversion
using a specially crafted strings one could overflow `shift`
variable and cause a crash by dereferencing d10[-2147483648]
(on a sufficiently old gcc).
This is a correct fix and a test case for
Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST
Diffstat (limited to 'strings')
| -rw-r--r-- | strings/ctype-simple.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/strings/ctype-simple.c b/strings/ctype-simple.c index 5c9790966d8..ba446a7df54 100644 --- a/strings/ctype-simple.c +++ b/strings/ctype-simple.c @@ -1,5 +1,5 @@ /* Copyright (c) 2002, 2013, Oracle and/or its affiliates. - Copyright (c) 2009, 2014, SkySQL Ab. + Copyright (c) 2009, 2019, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1524,10 +1524,20 @@ exp: /* [ E [ <sign> ] <unsigned integer> ] */ if (++str == end) goto ret_sign; } - for (exponent= 0 ; - str < end && (ch= (uchar) (*str - '0')) < 10; - str++) + if (shift > 0 && !negative_exp) + goto ret_too_big; + for (exponent= 0 ; str < end && (ch= (uchar) (*str - '0')) < 10; str++) { + if (negative_exp) + { + if (exponent - shift > DIGITS_IN_ULONGLONG) + goto ret_zero; + } + else + { + if (exponent + shift > DIGITS_IN_ULONGLONG) + goto ret_too_big; + } exponent= exponent * 10 + ch; } shift+= negative_exp ? -exponent : exponent; |