#At file:///Users/tnurnberg/forest/11762799/56-11762799/ based on revid:azundris@stripped
3367 Tatiana Azundris Nurnberg 2011-05-05
Bug#11762799: buffer overflow in debug binary of dbug_buff in Field_new_decimal::store_value
extra, more aggressive fixes for 5.6+
modified:
sql/log_event.cc
sql/my_decimal.cc
sql/protocol.cc
sql/sql_analyse.cc
strings/decimal.c
=== modified file 'sql/log_event.cc'
--- a/sql/log_event.cc 2011-05-04 07:51:15 +0000
+++ b/sql/log_event.cc 2011-05-05 10:52:34 +0000
@@ -6087,10 +6087,10 @@ void User_var_log_event::pack_info(Proto
break;
case DECIMAL_RESULT:
{
- if (!(buf= (char*) my_malloc(val_offset + DECIMAL_MAX_STR_LENGTH,
+ if (!(buf= (char*) my_malloc(val_offset + DECIMAL_MAX_STR_LENGTH + 1,
MYF(MY_WME))))
return;
- String str(buf+val_offset, DECIMAL_MAX_STR_LENGTH, &my_charset_bin);
+ String str(buf+val_offset, DECIMAL_MAX_STR_LENGTH + 1, &my_charset_bin);
my_decimal dec;
binary2my_decimal(E_DEC_FATAL_ERROR, (uchar*) (val+2), &dec, val[0],
val[1]);
=== modified file 'sql/my_decimal.cc'
--- a/sql/my_decimal.cc 2011-05-05 06:55:53 +0000
+++ b/sql/my_decimal.cc 2011-05-05 10:52:34 +0000
@@ -106,7 +106,7 @@ int my_decimal2string(uint mask, const m
required size of the buffer.
*/
int length= (fixed_prec
- ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1)
+ ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1 + 1)
: my_decimal_string_length(d));
int result;
if (str->alloc(length))
=== modified file 'sql/protocol.cc'
--- a/sql/protocol.cc 2011-03-22 11:44:40 +0000
+++ b/sql/protocol.cc 2011-05-05 10:52:34 +0000
@@ -1063,7 +1063,7 @@ bool Protocol_text::store_decimal(const
field_types[field_pos] == MYSQL_TYPE_NEWDECIMAL);
field_pos++;
#endif
- char buff[DECIMAL_MAX_STR_LENGTH];
+ char buff[DECIMAL_MAX_STR_LENGTH + 1];
String str(buff, sizeof(buff), &my_charset_bin);
(void) my_decimal2string(E_DEC_FATAL_ERROR, d, 0, 0, 0, &str);
return net_store_data((uchar*) str.ptr(), str.length());
@@ -1344,7 +1344,7 @@ bool Protocol_binary::store_decimal(cons
field_types[field_pos] == MYSQL_TYPE_NEWDECIMAL);
field_pos++;
#endif
- char buff[DECIMAL_MAX_STR_LENGTH];
+ char buff[DECIMAL_MAX_STR_LENGTH + 1];
String str(buff, sizeof(buff), &my_charset_bin);
(void) my_decimal2string(E_DEC_FATAL_ERROR, d, 0, 0, 0, &str);
return store(str.ptr(), str.length(), str.charset());
=== modified file 'sql/sql_analyse.cc'
--- a/sql/sql_analyse.cc 2011-03-22 11:44:40 +0000
+++ b/sql/sql_analyse.cc 2011-05-05 10:52:34 +0000
@@ -1102,7 +1102,7 @@ int collect_real(double *element, elemen
int collect_decimal(uchar *element, element_count count,
TREE_INFO *info)
{
- char buff[DECIMAL_MAX_STR_LENGTH];
+ char buff[DECIMAL_MAX_STR_LENGTH + 1];
String s(buff, sizeof(buff),&my_charset_bin);
if (info->found)
=== modified file 'strings/decimal.c'
--- a/strings/decimal.c 2011-05-05 06:55:53 +0000
+++ b/strings/decimal.c 2011-05-05 10:52:34 +0000
@@ -369,20 +369,28 @@ int decimal2string(const decimal_t *from
}
else if (unlikely(len > --*to_len)) /* reserve one byte for \0 */
{
- int j= len-*to_len;
+ int j= len - *to_len; /* excess printable chars */
error= (frac && j <= frac + 1) ? E_DEC_TRUNCATED : E_DEC_OVERFLOW;
- if (frac && j >= frac + 1) j--;
+
+ /*
+ If we need to cut more places than frac is wide, we'll end up
+ dropping the decimal point as well. Account for this.
+ */
+ if (frac && j >= frac + 1)
+ j--;
+
if (j > frac)
{
- intg-= j-frac;
+ intg_len= intg-= j-frac;
frac= 0;
}
else
frac-=j;
+ frac_len= frac;
len= from->sign + intg_len + test(frac) + frac_len;
}
- *to_len=len;
- s[len]=0;
+ *to_len= len;
+ s[len]= 0;
if (from->sign)
*s++='-';
@@ -404,14 +412,14 @@ int decimal2string(const decimal_t *from
x*=10;
}
}
- for(; fill; fill--)
+ for(; fill > 0; fill--)
*s1++=filler;
}
fill= intg_len - intg;
if (intg == 0)
fill--; /* symbol 0 before digital point */
- for(; fill; fill--)
+ for(; fill > 0; fill--)
*s++=filler;
if (intg)
{
@@ -429,6 +437,7 @@ int decimal2string(const decimal_t *from
}
else
*s= '0';
+
return error;
}
Attachment: [text/bzr-bundle] bzr/azundris@sun.com-20110505105234-zwr6oenmsq5nd3zm.bundle
| Thread |
|---|
| • bzr commit into mysql-trunk branch (azundris:3367) Bug#11762799 | Tatiana Azundris Nurnberg | 5 May |
