List:Commits« Previous MessageNext Message »
From:Tor Didriksen Date:October 7 2010 8:14am
Subject:bzr commit into mysql-5.5-bugteam branch (tor.didriksen:3096) Bug#57209
View as plain text  
#At file:///export/home/didrik/repo/5.5-bugteam-bug57209/ based on revid:alexander.nozdrin@stripped

 3096 Tor Didriksen	2010-10-07
      Bug#57209 valgrind + Assertion failed: dst > buf
      
      Buffer overrun when trying to format DBL_MAX
     @ mysql-test/r/func_math.result
        Add test case for Bug#57209
     @ mysql-test/t/func_math.test
        Add test case for Bug#57209
     @ sql/item_strfunc.cc
        Allocate a larger buffer for the result.

    modified:
      mysql-test/r/func_math.result
      mysql-test/t/func_math.test
      sql/item_strfunc.cc
=== modified file 'mysql-test/r/func_math.result'
--- a/mysql-test/r/func_math.result	2010-04-11 06:52:42 +0000
+++ b/mysql-test/r/func_math.result	2010-10-07 08:14:27 +0000
@@ -600,3 +600,14 @@ NULL
 SELECT -9223372036854775808 MOD -1;
 -9223372036854775808 MOD -1
 0
+#
+# Bug #57209 valgrind + Assertion failed: dst > buf 
+#
+select floor(log10(format(concat_ws(5445796E25, 5306463, 30837),
+period_diff(0.2286, 2989582))
+)
+)
+as foo
+;
+foo
+2

=== modified file 'mysql-test/t/func_math.test'
--- a/mysql-test/t/func_math.test	2010-03-18 10:38:29 +0000
+++ b/mysql-test/t/func_math.test	2010-10-07 08:14:27 +0000
@@ -458,3 +458,13 @@ SELECT 2 DIV -2;
 SELECT -(1 DIV 0);
 # Crashed the server with SIGFPE before the bugfix
 SELECT -9223372036854775808 MOD -1;
+
+--echo #
+--echo # Bug #57209 valgrind + Assertion failed: dst > buf 
+--echo #
+select floor(log10(format(concat_ws(5445796E25, 5306463, 30837),
+                          period_diff(0.2286, 2989582))
+                   )
+             )
+  as foo
+;

=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc	2010-08-20 11:14:11 +0000
+++ b/sql/item_strfunc.cc	2010-10-07 08:14:27 +0000
@@ -2299,7 +2299,8 @@ String *Item_func_format::val_str_ascii(
   if (lc->grouping[0] > 0 &&
       str_length >= dec_length + 1 + lc->grouping[0])
   {
-    char buf[DECIMAL_MAX_STR_LENGTH * 2]; /* 2 - in the worst case when grouping=1 */
+    /* We need space for ',' between each triplet of digits as well. */
+    char buf[FLOATING_POINT_BUFFER + FLOATING_POINT_BUFFER/3];
     int count;
     const char *grouping= lc->grouping;
     char sign_length= *str->ptr() == '-' ? 1 : 0;


Attachment: [text/bzr-bundle] bzr/tor.didriksen@oracle.com-20101007081427-5z5v3lw8tkq297k9.bundle
Thread
bzr commit into mysql-5.5-bugteam branch (tor.didriksen:3096) Bug#57209Tor Didriksen7 Oct
  • Re: bzr commit into mysql-5.5-bugteam branch (tor.didriksen:3096)Bug#57209Olav Sandstaa7 Oct