From: Tor Didriksen Date: October 8 2010 10:28am Subject: bzr commit into mysql-5.5-bugteam branch (tor.didriksen:3222) Bug#57209 List-Archive: http://lists.mysql.com/commits/120357 X-Bug: 57209 Message-Id: <20101008102820.7CF4A379D@atum07.norway.sun.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6862625337626769532==" --===============6862625337626769532== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///export/home/didrik/repo/5.5-bugteam-bug57209/ based on revid:svoj@stripped 3222 Tor Didriksen 2010-10-08 Bug#57209 valgrind + Assertion failed: dst > buf Buffer overrun when trying to format DBL_MAX @ mysql-test/r/func_math.result Add test case for Bug#57209 @ mysql-test/t/func_math.test Add test case for Bug#57209 @ sql/item_strfunc.cc Allocate a larger buffer for the result. modified: mysql-test/r/func_math.result mysql-test/t/func_math.test sql/item_strfunc.cc === modified file 'mysql-test/r/func_math.result' --- a/mysql-test/r/func_math.result 2010-04-11 06:52:42 +0000 +++ b/mysql-test/r/func_math.result 2010-10-08 09:52:09 +0000 @@ -600,3 +600,10 @@ NULL SELECT -9223372036854775808 MOD -1; -9223372036854775808 MOD -1 0 +# +# Bug #57209 valgrind + Assertion failed: dst > buf +# +SELECT floor(log10(format(concat_ws(5445796E25, 5306463, 30837), -358821))) +as foo; +foo +2 === modified file 'mysql-test/t/func_math.test' --- a/mysql-test/t/func_math.test 2010-03-18 10:38:29 +0000 +++ b/mysql-test/t/func_math.test 2010-10-08 09:52:09 +0000 @@ -458,3 +458,9 @@ SELECT 2 DIV -2; SELECT -(1 DIV 0); # Crashed the server with SIGFPE before the bugfix SELECT -9223372036854775808 MOD -1; + +--echo # +--echo # Bug #57209 valgrind + Assertion failed: dst > buf +--echo # +SELECT floor(log10(format(concat_ws(5445796E25, 5306463, 30837), -358821))) +as foo; === modified file 'sql/item_strfunc.cc' --- a/sql/item_strfunc.cc 2010-08-20 11:14:11 +0000 +++ b/sql/item_strfunc.cc 2010-10-08 09:52:09 +0000 @@ -2299,7 +2299,8 @@ String *Item_func_format::val_str_ascii( if (lc->grouping[0] > 0 && str_length >= dec_length + 1 + lc->grouping[0]) { - char buf[DECIMAL_MAX_STR_LENGTH * 2]; /* 2 - in the worst case when grouping=1 */ + /* We need space for ',' between each group of digits as well. */ + char buf[2 * FLOATING_POINT_BUFFER]; int count; const char *grouping= lc->grouping; char sign_length= *str->ptr() == '-' ? 1 : 0; @@ -2323,7 +2324,7 @@ String *Item_func_format::val_str_ascii( count will be initialized to -1 and we'll never get into this "if" anymore. */ - if (!count) + if (count == 0) { *--dst= lc->thousand_sep; if (grouping[1]) --===============6862625337626769532== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/tor.didriksen@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: tor.didriksen@stripped\ # leoru3qeg7s3k42c # target_branch: file:///export/home/didrik/repo/5.5-bugteam-bug57209/ # testament_sha1: 4b55dc1542f513902ae09abe26c8f47d53417361 # timestamp: 2010-10-08 12:28:20 +0200 # base_revision_id: svoj@stripped # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWcuuY2MAA2rfgFAQWP///3+n 3sq////wYAc/b3Ofc3oPQOwb3vd5erY16eOAklBoTEnqnqZPaZE8gSbAhNPU0Bk0PSbQmgyUyU8y ap5PUepig3qmQAD1AZAAAAHDTTIxGE0wEMAmmEYJiZDTI0NAJJqECJpqNtNUfpI9Qemp6h6QGQDQ ADQDakRMyTJHk09SnqfpR+qep6Bk0gAZBoAACSRMmgAJoBMQnqnhINAbRAAaAPWrdl7my07CFzj9 PQ/L38OFNW/hxw01OdZxiEM2w7HTjxyRyuFMEYqSVVS2ou9SawgKjUe0e0rZ3wOMaZtNRQIhBByf X5I/NMhGjGjkcEXxlImykibY7bQ2LE6pJsx3+OfIoRxf0KUI19iQeUW/D/t+H+YlH4yD6fYIUwn7 Z+hTvc9hnk08hltayx5ZHqsqIGSWfmGGvMMZnrxMOoGzHY+IZFpHyYJjAzO25SwVgvggKDVJbPCD /mWsUtzcHqQjecsFCbnCwsWyCpm2WzYItIMqgUgKlWhcvVcT1waI0YRNVe6ILqYZpbWTlcjWZ0TJ BLSTZIShJTTTYndXAr52l1uQhWKkRamrJjuKJKRQSooISGnYRAVKD8MqixYdO25ar0SGTXVlPXvG gIDyZUYH1z7i7Q8MyNE5kTymFUgxpRRO8tFpClKFThB1AscCwVMhSIC5c94RaF2HJVXrbNaVGKtJ yo1zIMDiT9z9klKH7ueF4tTIC+SetiQy9cwcjEyFPYJpG/I7dvuOBkYlMDbIVdF1cN8BT9NQiw/n cq64clJP151YyfirNCCjEZmwMidObVz6RnGoVYy3FprI0xNVZd2ph/+r1iKreC/wRTMpXZmoxN7K wa9tbxxiTLsEY5G1Q3Dnm60oTFR7VD0wvDY6BwXFHx13KB2X3qhUpvS3JY0BUueeaowKg5DNI2Zv cO4Yeg817yRsoF4WQX1I6QJGq7MqV3EdHuzuNY+OdeMJKaocRFGgrJO2SPLPzZZsikvLxiFNdRhO uSrwuwKlgpibA5UC6UE5jQ4o2E5G4cWQMgfQPejDK1pG+tbBF6qfAjSLHMSrUIvqOpF5rlIvqKR6 ude1BUaFDGutPZIpTs5dkh0VXPy2uJkJwyucUE6shbsslfPCijwsUs6lElY8mHPrmGgqrmnqmEgo 6oRROVHIJTqdgnNSdZj0xsDj5tPEsyhUC2JnautPLq1OBZC+vDfpUamKGYZMd/p8H4RzD4x7iLwP I3nm7h28Vwdpu8CXyfdQcDhNeuXYNHnRP58axplWwuoQ/29jwrUMp6yACI6F6rVJzERs2bFFt3HX M2kFLJBu+NQ+beWIIxQrXAbF8o61gjpou0IKcxVhIcKHkwhybd2rNgl/FnYd0duKItLtVN6Ar9RY lNE5Dx3LGUoKubwcuxDl34ZdMxxERWMent94ahnFGlhe1s5NDb8piZ7JEUJZ5dpgT5okFgn8RPKW SuhikT14YUAvlowCbRnLCYB/CJI1h+EA6wFq49xoBKzgYdvCXWH+3TlCS0m2DDgMc6eBVvjhnuW3 CWO9UXFdOFHCKoWRqyvJeehSeClV4zlam06c+ujbeL9F3CI7tyque1C3/B5LQidYoKXgV8NCZHGI rpKsUueSTI8sloOEM0wtbCnH0u80OlUeDVagasxm3TgwYywsJaiFWcT5zJlG4cGsYpPiNFkFBJbt F/qx6plaq0xPc3eRmA6U1C1ilzna5w7MoMSV/Q/ShbDSVMDaPAa56i/6GaKxr8+ZwQp07vAZ+ni9 Wea3ARXXVeszHH0Efj5Anw/rxUCKRHcJ1omNSLIX9/ZongSRejGBj078Bw7Eo1y4deVPWtHYrMqx k4iNP1sXZbRa+kuJyzoXstKFixEOKgJym6ReFi6caQyBMC2iMSKYJ+Ps3WcyweLAmu5QbftQFbVo 7UbRDOUyyDEwpKF6lTwlIKX9U8/7QrsKE2TmQ29geCbapkk4rigme4ylOUsfiQiFDCYeXFJyW1eM nfnmUpFfnqOPLkXKsF2JBehmBjutUSowHr2tcYAtgJhPF8moQUZYuasPsv16oBmN3IqaKFABnAOd TQuWSe4zDJTAxEQXY3suS32zqkOeiZy7mBecymeIO7F6DxDRn+DwxRKLU+pCtVQswxlG+MskwSSO DKfvTVpx1ESx8uAZbrFghaKKNcLOuQULw5S+FyrVFbbbfWt3qUGYN6tTBTFkQxbUSDPqzpwboY01 XOWaZ4OxssrVOUUSIh67Z6UX6DtheVDkJ61chS8z7U7kw7JiUXLUkxQvFmRad1bnifTbW8TtXAmQ nkrTC85+YXpQyoOFiIsJwEk7TtwibomO8fBXld4/oO9okjiOazSQPNsrWa41F5xnIuBvKiJbhana xwYJk20oGHZCkVi3lliUKmpI/8XckU4UJDLrmNjA --===============6862625337626769532==--