From: Tor Didriksen Date: April 25 2012 7:55am Subject: bzr push into mysql-trunk branch (tor.didriksen:3736 to 3737) Bug#13982125 List-Archive: http://lists.mysql.com/commits/143650 X-Bug: 13982125 Message-Id: <201204250755.q3P7tW2C006327@acsmt357.oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3737 Tor Didriksen 2012-04-25 Bug#13982125 BUFFER OVERFLOW OF VARIABLE BUF IN ITEM_FUNC_MAKETIME::GET_TIME Add space for null-terminator, which is always added by sprintf. modified: mysql-test/r/func_time.result mysql-test/t/func_time.test sql/item_timefunc.cc 3736 Vasil Dimov 2012-04-25 Followup to vasil.dimov@stripped, adjust a few .result files. modified: mysql-test/suite/perfschema/r/statement_digest.result mysql-test/suite/perfschema/r/statement_digest_consumers.result mysql-test/suite/perfschema/r/statement_digest_long_query.result === modified file 'mysql-test/r/func_time.result' --- a/mysql-test/r/func_time.result 2012-02-23 16:32:32 +0000 +++ b/mysql-test/r/func_time.result 2012-04-25 07:55:02 +0000 @@ -1768,3 +1768,10 @@ SELECT a, UNIX_TIMESTAMP(a), UNIX_TIMEST a UNIX_TIMESTAMP(a) UNIX_TIMESTAMP('5000-01-01 00:00:00') 5000-01-01 00:00:00 0.000000 0 DROP TABLE t1; +# +# Bug#13982125 BUFFER OVERFLOW OF VARIABLE BUF IN +# ITEM_FUNC_MAKETIME::GET_TIME +# +DO maketime(~0, 49, 0.123456789); +Warnings: +Warning 1292 Truncated incorrect time value: '18446744073709551615:49:00.123456789' === modified file 'mysql-test/t/func_time.test' --- a/mysql-test/t/func_time.test 2012-01-24 11:57:25 +0000 +++ b/mysql-test/t/func_time.test 2012-04-25 07:55:02 +0000 @@ -1095,3 +1095,11 @@ DELETE FROM t1; INSERT INTO t1 VALUES ('5000-01-01 00:00:00'); SELECT a, UNIX_TIMESTAMP(a), UNIX_TIMESTAMP('5000-01-01 00:00:00') FROM t1; DROP TABLE t1; + +--echo # +--echo # Bug#13982125 BUFFER OVERFLOW OF VARIABLE BUF IN +--echo # ITEM_FUNC_MAKETIME::GET_TIME +--echo # + +DO maketime(~0, 49, 0.123456789); + === modified file 'sql/item_timefunc.cc' --- a/sql/item_timefunc.cc 2012-03-06 14:29:42 +0000 +++ b/sql/item_timefunc.cc 2012-04-25 07:55:02 +0000 @@ -2865,7 +2865,7 @@ bool Item_func_maketime::get_time(MYSQL_ // Return maximum value (positive or negative) set_max_hhmmss(ltime); - char buf[MAX_BIGINT_WIDTH /* hh */ + 6 /* :mm:ss */ + 10 /* .fffffffff */]; + char buf[MAX_BIGINT_WIDTH /* hh */ + 6 /* :mm:ss */ + 10 /* .fffffffff */ +1]; char *ptr= longlong10_to_str(hour, buf, args[0]->unsigned_flag ? 10 : -10); int len = (int)(ptr - buf) + sprintf(ptr, ":%02u:%02u", (uint) minute, (uint) second.quot); @@ -2875,10 +2875,11 @@ bool Item_func_maketime::get_time(MYSQL_ Display fractional part up to nanoseconds (9 digits), which is the maximum precision of my_decimal2lldiv_t(). */ - uint dec= MY_MIN(args[2]->decimals, 9); + int dec= MY_MIN(args[2]->decimals, 9); len+= sprintf(buf + len, ".%0*lld", dec, second.rem / (ulong) log_10_int[9 - dec]); } + DBUG_ASSERT(strlen(buf) < sizeof(buf)); make_truncated_value_warning(ErrConvString(buf, len), MYSQL_TIMESTAMP_TIME); return false; } No bundle (reason: useless for push emails).