Commit 887d1493 authored by Alexey Kopytov's avatar Alexey Kopytov

Fix for bug #41868: crash or memory overrun with concat + upper, date_format

                    functions
      
String::realloc() did not check whether the existing string data fits in the newly
allocated buffer for cases when reallocating a String object with external buffer
(i.e.alloced == FALSE).  This could lead to memory overruns in some cases.
parent 6a834d1f
...@@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length) ...@@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length)
if (alloced) if (alloced)
{ {
if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME)))) if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
{ new_ptr[alloc_length]= 0;
Ptr=new_ptr;
Alloced_length=len;
}
else else
return TRUE; // Signal error return TRUE; // Signal error
} }
else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME)))) else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
{ {
if (str_length > len - 1)
str_length= 0;
if (str_length) // Avoid bugs in memcpy on AIX if (str_length) // Avoid bugs in memcpy on AIX
memcpy(new_ptr,Ptr,str_length); memcpy(new_ptr, Ptr, str_length);
new_ptr[str_length]=0; new_ptr[str_length]= 0;
Ptr=new_ptr;
Alloced_length=len;
alloced=1; alloced=1;
} }
else else
return TRUE; // Signal error return TRUE; // Signal error
Ptr= new_ptr;
Alloced_length= len;
} }
Ptr[alloc_length]=0; // This make other funcs shorter else
Ptr[alloc_length]= 0;
return FALSE; return FALSE;
} }
......
...@@ -2181,4 +2181,10 @@ def format(a, 2) 253 20 4 Y 0 2 8 ...@@ -2181,4 +2181,10 @@ def format(a, 2) 253 20 4 Y 0 2 8
format(a, 2) format(a, 2)
1.33 1.33
drop table t1; drop table t1;
CREATE TABLE t1 (c DATE, aa VARCHAR(30));
INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
h i
31.12.2008 AAAAAA, aaaaaa
DROP TABLE t1;
End of 5.0 tests End of 5.0 tests
...@@ -1159,4 +1159,13 @@ select format(a, 2) from t1; ...@@ -1159,4 +1159,13 @@ select format(a, 2) from t1;
--disable_metadata --disable_metadata
drop table t1; drop table t1;
#
# Bug #41868: crash or memory overrun with concat + upper, date_format functions
#
CREATE TABLE t1 (c DATE, aa VARCHAR(30));
INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
DROP TABLE t1;
--echo End of 5.0 tests --echo End of 5.0 tests
...@@ -1047,6 +1047,11 @@ bool select_send::send_data(List<Item> &items) ...@@ -1047,6 +1047,11 @@ bool select_send::send_data(List<Item> &items)
my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0)); my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
break; break;
} }
/*
Reset buffer to its original state, as it may have been altered in
Item::send().
*/
buffer.set(buff, sizeof(buff), &my_charset_bin);
} }
thd->sent_row_count++; thd->sent_row_count++;
if (!thd->vio_ok()) if (!thd->vio_ok())
......
...@@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length) ...@@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length)
if (alloced) if (alloced)
{ {
if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME)))) if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
{ new_ptr[alloc_length]= 0;
Ptr=new_ptr;
Alloced_length=len;
}
else else
return TRUE; // Signal error return TRUE; // Signal error
} }
else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME)))) else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
{ {
if (str_length > len - 1)
str_length= 0;
if (str_length) // Avoid bugs in memcpy on AIX if (str_length) // Avoid bugs in memcpy on AIX
memcpy(new_ptr,Ptr,str_length); memcpy(new_ptr, Ptr, str_length);
new_ptr[str_length]=0; new_ptr[str_length]= 0;
Ptr=new_ptr;
Alloced_length=len;
alloced=1; alloced=1;
} }
else else
return TRUE; // Signal error return TRUE; // Signal error
Ptr= new_ptr;
Alloced_length= len;
} }
Ptr[alloc_length]=0; // This make other funcs shorter else
Ptr[alloc_length]= 0;
return FALSE; return FALSE;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment