List:Commits« Previous MessageNext Message »
From:Tor Didriksen Date:April 25 2012 7:55am
Subject:bzr push into mysql-trunk branch (tor.didriksen:3736 to 3737) Bug#13982125
View as plain text  
 3737 Tor Didriksen	2012-04-25
      Bug#13982125 BUFFER OVERFLOW OF VARIABLE BUF IN ITEM_FUNC_MAKETIME::GET_TIME
      
      Add space for null-terminator, which is always added by sprintf.

    modified:
      mysql-test/r/func_time.result
      mysql-test/t/func_time.test
      sql/item_timefunc.cc
 3736 Vasil Dimov	2012-04-25
      Followup to vasil.dimov@stripped,
      adjust a few .result files.

    modified:
      mysql-test/suite/perfschema/r/statement_digest.result
      mysql-test/suite/perfschema/r/statement_digest_consumers.result
      mysql-test/suite/perfschema/r/statement_digest_long_query.result
=== modified file 'mysql-test/r/func_time.result'
--- a/mysql-test/r/func_time.result	2012-02-23 16:32:32 +0000
+++ b/mysql-test/r/func_time.result	2012-04-25 07:55:02 +0000
@@ -1768,3 +1768,10 @@ SELECT a, UNIX_TIMESTAMP(a), UNIX_TIMEST
 a	UNIX_TIMESTAMP(a)	UNIX_TIMESTAMP('5000-01-01 00:00:00')
 5000-01-01 00:00:00	0.000000	0
 DROP TABLE t1;
+#
+# Bug#13982125 BUFFER OVERFLOW OF VARIABLE BUF IN
+#              ITEM_FUNC_MAKETIME::GET_TIME
+#
+DO maketime(~0, 49, 0.123456789);
+Warnings:
+Warning	1292	Truncated incorrect time value: '18446744073709551615:49:00.123456789'

=== modified file 'mysql-test/t/func_time.test'
--- a/mysql-test/t/func_time.test	2012-01-24 11:57:25 +0000
+++ b/mysql-test/t/func_time.test	2012-04-25 07:55:02 +0000
@@ -1095,3 +1095,11 @@ DELETE FROM t1;
 INSERT INTO t1 VALUES ('5000-01-01 00:00:00');
 SELECT a, UNIX_TIMESTAMP(a), UNIX_TIMESTAMP('5000-01-01 00:00:00') FROM t1;
 DROP TABLE t1;
+
+--echo #
+--echo # Bug#13982125 BUFFER OVERFLOW OF VARIABLE BUF IN
+--echo #              ITEM_FUNC_MAKETIME::GET_TIME
+--echo #
+
+DO maketime(~0, 49, 0.123456789);
+

=== modified file 'sql/item_timefunc.cc'
--- a/sql/item_timefunc.cc	2012-03-06 14:29:42 +0000
+++ b/sql/item_timefunc.cc	2012-04-25 07:55:02 +0000
@@ -2865,7 +2865,7 @@ bool Item_func_maketime::get_time(MYSQL_
 
   // Return maximum value (positive or negative)
   set_max_hhmmss(ltime);
-  char buf[MAX_BIGINT_WIDTH /* hh */ + 6 /* :mm:ss */ + 10 /* .fffffffff */];
+  char buf[MAX_BIGINT_WIDTH /* hh */ + 6 /* :mm:ss */ + 10 /* .fffffffff */ +1];
   char *ptr= longlong10_to_str(hour, buf, args[0]->unsigned_flag ? 10 : -10);
   int len = (int)(ptr - buf) +
     sprintf(ptr, ":%02u:%02u", (uint) minute, (uint) second.quot);
@@ -2875,10 +2875,11 @@ bool Item_func_maketime::get_time(MYSQL_
       Display fractional part up to nanoseconds (9 digits),
       which is the maximum precision of my_decimal2lldiv_t().
     */
-    uint dec= MY_MIN(args[2]->decimals, 9);
+    int dec= MY_MIN(args[2]->decimals, 9);
     len+= sprintf(buf + len, ".%0*lld", dec,
                   second.rem / (ulong) log_10_int[9 - dec]);
   }
+  DBUG_ASSERT(strlen(buf) < sizeof(buf));
   make_truncated_value_warning(ErrConvString(buf, len), MYSQL_TIMESTAMP_TIME);
   return false;
 }

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-trunk branch (tor.didriksen:3736 to 3737) Bug#13982125Tor Didriksen25 Apr