List:Commits« Previous MessageNext Message »
From:Tatiana Azundris Nurnberg Date:May 5 2011 10:52am
Subject:bzr commit into mysql-trunk branch (azundris:3367) Bug#11762799
View as plain text  
#At file:///Users/tnurnberg/forest/11762799/56-11762799/ based on revid:azundris@stripped

 3367 Tatiana Azundris Nurnberg	2011-05-05
      Bug#11762799: buffer overflow in debug binary of dbug_buff in Field_new_decimal::store_value
      
      extra, more aggressive fixes for 5.6+

    modified:
      sql/log_event.cc
      sql/my_decimal.cc
      sql/protocol.cc
      sql/sql_analyse.cc
      strings/decimal.c
=== modified file 'sql/log_event.cc'
--- a/sql/log_event.cc	2011-05-04 07:51:15 +0000
+++ b/sql/log_event.cc	2011-05-05 10:52:34 +0000
@@ -6087,10 +6087,10 @@ void User_var_log_event::pack_info(Proto
       break;
     case DECIMAL_RESULT:
     {
-      if (!(buf= (char*) my_malloc(val_offset + DECIMAL_MAX_STR_LENGTH,
+      if (!(buf= (char*) my_malloc(val_offset + DECIMAL_MAX_STR_LENGTH + 1,
                                    MYF(MY_WME))))
         return;
-      String str(buf+val_offset, DECIMAL_MAX_STR_LENGTH, &my_charset_bin);
+      String str(buf+val_offset, DECIMAL_MAX_STR_LENGTH + 1, &my_charset_bin);
       my_decimal dec;
       binary2my_decimal(E_DEC_FATAL_ERROR, (uchar*) (val+2), &dec, val[0],
                         val[1]);

=== modified file 'sql/my_decimal.cc'
--- a/sql/my_decimal.cc	2011-05-05 06:55:53 +0000
+++ b/sql/my_decimal.cc	2011-05-05 10:52:34 +0000
@@ -106,7 +106,7 @@ int my_decimal2string(uint mask, const m
     required size of the buffer.
   */
   int length= (fixed_prec
-               ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1)
+               ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1 + 1)
                : my_decimal_string_length(d));
   int result;
   if (str->alloc(length))

=== modified file 'sql/protocol.cc'
--- a/sql/protocol.cc	2011-03-22 11:44:40 +0000
+++ b/sql/protocol.cc	2011-05-05 10:52:34 +0000
@@ -1063,7 +1063,7 @@ bool Protocol_text::store_decimal(const 
               field_types[field_pos] == MYSQL_TYPE_NEWDECIMAL);
   field_pos++;
 #endif
-  char buff[DECIMAL_MAX_STR_LENGTH];
+  char buff[DECIMAL_MAX_STR_LENGTH + 1];
   String str(buff, sizeof(buff), &my_charset_bin);
   (void) my_decimal2string(E_DEC_FATAL_ERROR, d, 0, 0, 0, &str);
   return net_store_data((uchar*) str.ptr(), str.length());
@@ -1344,7 +1344,7 @@ bool Protocol_binary::store_decimal(cons
               field_types[field_pos] == MYSQL_TYPE_NEWDECIMAL);
   field_pos++;
 #endif
-  char buff[DECIMAL_MAX_STR_LENGTH];
+  char buff[DECIMAL_MAX_STR_LENGTH + 1];
   String str(buff, sizeof(buff), &my_charset_bin);
   (void) my_decimal2string(E_DEC_FATAL_ERROR, d, 0, 0, 0, &str);
   return store(str.ptr(), str.length(), str.charset());

=== modified file 'sql/sql_analyse.cc'
--- a/sql/sql_analyse.cc	2011-03-22 11:44:40 +0000
+++ b/sql/sql_analyse.cc	2011-05-05 10:52:34 +0000
@@ -1102,7 +1102,7 @@ int collect_real(double *element, elemen
 int collect_decimal(uchar *element, element_count count,
                     TREE_INFO *info)
 {
-  char buff[DECIMAL_MAX_STR_LENGTH];
+  char buff[DECIMAL_MAX_STR_LENGTH + 1];
   String s(buff, sizeof(buff),&my_charset_bin);
 
   if (info->found)

=== modified file 'strings/decimal.c'
--- a/strings/decimal.c	2011-05-05 06:55:53 +0000
+++ b/strings/decimal.c	2011-05-05 10:52:34 +0000
@@ -369,20 +369,28 @@ int decimal2string(const decimal_t *from
   }
   else if (unlikely(len > --*to_len)) /* reserve one byte for \0 */
   {
-    int j= len-*to_len;
+    int j= len - *to_len;             /* excess printable chars */
     error= (frac && j <= frac + 1) ? E_DEC_TRUNCATED : E_DEC_OVERFLOW;
-    if (frac && j >= frac + 1) j--;
+
+    /*
+      If we need to cut more places than frac is wide, we'll end up
+      dropping the decimal point as well.  Account for this.
+    */
+    if (frac && j >= frac + 1)
+      j--;
+
     if (j > frac)
     {
-      intg-= j-frac;
+      intg_len= intg-= j-frac;
       frac= 0;
     }
     else
       frac-=j;
+    frac_len= frac;
     len= from->sign + intg_len + test(frac) + frac_len;
   }
-  *to_len=len;
-  s[len]=0;
+  *to_len= len;
+  s[len]= 0;
 
   if (from->sign)
     *s++='-';
@@ -404,14 +412,14 @@ int decimal2string(const decimal_t *from
         x*=10;
       }
     }
-    for(; fill; fill--)
+    for(; fill > 0; fill--)
       *s1++=filler;
   }
 
   fill= intg_len - intg;
   if (intg == 0)
     fill--; /* symbol 0 before digital point */
-  for(; fill; fill--)
+  for(; fill > 0; fill--)
     *s++=filler;
   if (intg)
   {
@@ -429,6 +437,7 @@ int decimal2string(const decimal_t *from
   }
   else
     *s= '0';
+
   return error;
 }
 


Attachment: [text/bzr-bundle] bzr/azundris@sun.com-20110505105234-zwr6oenmsq5nd3zm.bundle
Thread
bzr commit into mysql-trunk branch (azundris:3367) Bug#11762799Tatiana Azundris Nurnberg5 May