Below is the list of changes that have just been committed into a local
5.0 repository of tnurnberg. When tnurnberg does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html
ChangeSet@stripped, 2007-10-04 07:49:08+02:00, tnurnberg@stripped +3 -0
Bug#31227: memory overrun with decimal (6,6) and zerofill and group_concat
This is a pathological case.
DECIMAL(a,b) == a digits altogether, of which b are fractional.
DECIMAL(5,3) 123.45, or -123.45(!)
This requires a characters,
plus one extra for sign,
plus one for decimal point if b>0,
*plus* one extra for a leading '0' if a==b:
DECIMAL(6,6) -0.123456:
(sign) (zero) (point) (6 decimal places) (\0)
This leading '0' was not factored in.
mysql-test/r/type_decimal.result@stripped, 2007-10-04 07:49:03+02:00, tnurnberg@stripped +8 -0
show that we allocate a large enough buffer for output of DECIMAL(a,a).
without patch for bug#31227, valgrind will complain here; so will a
debug build.
mysql-test/t/type_decimal.test@stripped, 2007-10-04 07:49:03+02:00, tnurnberg@stripped +12 -1
show that we allocate a large enough buffer for output of DECIMAL(a,a).
without patch for bug#31227, valgrind will complain here; so will a
debug build.
sql/my_decimal.cc@stripped, 2007-10-04 07:49:03+02:00, tnurnberg@stripped +3 -1
Even if the user only requests decimal places for
DECIMAL (as in DECIMAL(a,a)), we'll print a leading
zero before the decimal point. Make sure we allocate
one extra character for the '0' in such cases.
diff -Nrup a/mysql-test/r/type_decimal.result b/mysql-test/r/type_decimal.result
--- a/mysql-test/r/type_decimal.result 2007-06-13 18:32:34 +02:00
+++ b/mysql-test/r/type_decimal.result 2007-10-04 07:49:03 +02:00
@@ -683,6 +683,7 @@ select * from t1;
a b
123.12345 123.1
drop table t1;
+End of 4.1 tests
CREATE TABLE t1
(EMPNUM CHAR(3) NOT NULL,
HOURS DECIMAL(5));
@@ -799,3 +800,10 @@ SELECT ROUND(qty,3), dps, ROUND(qty,dps)
ROUND(qty,3) dps ROUND(qty,dps)
1.133 3 1.133
DROP TABLE t1;
+create table t1 (f1 decimal(6,6) zerofill not null);
+insert into t1 values (0.123456),(0.2),(0.3);
+select group_concat(f1) from t1;
+group_concat(f1)
+0.123456,0.200000,0.300000
+drop table t1;
+End of 5.0 tests
diff -Nrup a/mysql-test/t/type_decimal.test b/mysql-test/t/type_decimal.test
--- a/mysql-test/t/type_decimal.test 2007-06-13 18:32:34 +02:00
+++ b/mysql-test/t/type_decimal.test 2007-10-04 07:49:03 +02:00
@@ -278,7 +278,7 @@ update t1 set b=a;
select * from t1;
drop table t1;
-# End of 4.1 tests
+--echo End of 4.1 tests
#
# Test for BUG#8397: decimal type in subselects (Item_cache_decimal)
@@ -408,3 +408,14 @@ INSERT INTO t1 VALUES (1.1325,3);
SELECT ROUND(qty,3), dps, ROUND(qty,dps) FROM t1;
DROP TABLE t1;
+
+#
+# Bug #31227: memory overrun with decimal (6,6) and zerofill and group_concat
+# valgrind will complain about this on unpatched mysqld.
+#
+create table t1 (f1 decimal(6,6) zerofill not null);
+insert into t1 values (0.123456),(0.2),(0.3);
+select group_concat(f1) from t1;
+drop table t1;
+
+--echo End of 5.0 tests
diff -Nrup a/sql/my_decimal.cc b/sql/my_decimal.cc
--- a/sql/my_decimal.cc 2007-05-16 10:44:40 +02:00
+++ b/sql/my_decimal.cc 2007-10-04 07:49:03 +02:00
@@ -85,7 +85,9 @@ int my_decimal2string(uint mask, const m
uint fixed_prec, uint fixed_dec,
char filler, String *str)
{
- int length= (fixed_prec ? (fixed_prec + 1) : my_decimal_string_length(d));
+ int length= (fixed_prec
+ ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1)
+ : my_decimal_string_length(d));
int result;
if (str->alloc(length))
return check_result(mask, E_DEC_OOM);
