List:Commits« Previous MessageNext Message »
From:Kristofer Pettersson Date:November 25 2010 9:02am
Subject:bzr commit into mysql-5.1-bugteam branch (kristofer.pettersson:3509)
Bug#57132
View as plain text  
#At file:///home/thek/bzr/mysql-5.1-bugteam/ based on revid:davi.arnaut@stripped

 3509 Kristofer Pettersson	2010-11-25
      Bug#57132 conv function crashes, negative argument to memcpy
      
      Using a large negative base in SQL function
      CONV could crash the server.
      
      longlong2str() can return a null pointer
      if radix < 0 && (radix<-36 || radix<-2). If
      ptr < ans then the argument length will
      become very big. If the call to
      longlong2str() is successful the pointer
      would have pointed to the character just
      after the the result in the destination string.

    modified:
      mysql-test/r/func_str.result
      mysql-test/t/func_str.test
      sql/item_strfunc.cc
=== modified file 'mysql-test/r/func_str.result'
--- a/mysql-test/r/func_str.result	2010-03-26 05:49:35 +0000
+++ b/mysql-test/r/func_str.result	2010-11-25 09:02:19 +0000
@@ -2600,4 +2600,10 @@ ORDER BY QUOTE(t1.a);
 1
 1
 DROP TABLE t1;
+#
+# Bug57132 conv function crashes, negative argument to memcpy
+#
+SELECT CONV(1,-2147483648,-2147483648);
+CONV(1,-2147483648,-2147483648)
+
 End of 5.1 tests

=== modified file 'mysql-test/t/func_str.test'
--- a/mysql-test/t/func_str.test	2010-03-26 05:49:35 +0000
+++ b/mysql-test/t/func_str.test	2010-11-25 09:02:19 +0000
@@ -1362,4 +1362,9 @@ SELECT 1 FROM t1, t1 t2
 ORDER BY QUOTE(t1.a);
 DROP TABLE t1;
 
+--echo #
+--echo # Bug57132 conv function crashes, negative argument to memcpy
+--echo #
+SELECT CONV(1,-2147483648,-2147483648);
+
 --echo End of 5.1 tests

=== modified file 'sql/item_strfunc.cc'
--- a/sql/item_strfunc.cc	2010-05-03 16:14:39 +0000
+++ b/sql/item_strfunc.cc	2010-11-25 09:02:19 +0000
@@ -2700,7 +2700,9 @@ String *Item_func_conv::val_str(String *
                                    from_base, &endptr, &err);
   }
 
-  ptr= longlong2str(dec, ans, to_base);
+  if (!(ptr= longlong2str(dec, ans, to_base)))
+    return &my_empty_string;
+  
   if (str->copy(ans, (uint32) (ptr-ans), default_charset()))
     return &my_empty_string;
   return str;


Attachment: [text/bzr-bundle] bzr/kristofer.pettersson@oracle.com-20101125090219-hk2b0vf7h2f9uxi1.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (kristofer.pettersson:3509)Bug#57132Kristofer Pettersson25 Nov