From fd8bf58ca972ef3f521aec03c0bd09fa3ec78335 Mon Sep 17 00:00:00 2001 From: Alexey Kopytov Date: Tue, 10 Feb 2009 15:38:56 +0300 Subject: Fix for bug #41868: crash or memory overrun with concat + upper, date_format functions String::realloc() did not check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer (i.e.alloced == FALSE). This could lead to memory overruns in some cases. client/sql_string.cc: Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer. mysql-test/r/func_str.result: Added a test case for bug #41868. mysql-test/t/func_str.test: Added a test case for bug #41868. sql/sql_class.cc: After each call to Item::send() in select_send::send_data() reset buffer to its original state to reduce unnecessary malloc() calls. See comments for bug #41868 for detailed analysis. sql/sql_string.cc: Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer. --- sql/sql_class.cc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'sql/sql_class.cc') diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 91c0aa66761..9ff602bb62e 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -1047,6 +1047,11 @@ bool select_send::send_data(List &items) my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0)); break; } + /* + Reset buffer to its original state, as it may have been altered in + Item::send(). + */ + buffer.set(buff, sizeof(buff), &my_charset_bin); } thd->sent_row_count++; if (!thd->vio_ok()) -- cgit v1.2.1