mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-29 10:14:19 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0

Browse source 
Due to an integer overflow an invalid size of ref_pointer_array could be
allocated.

Using size_t allows this continue. Allocation failures are
handled gracefully if the value is too big.

Thanks to Zuming Jiang for the bug report and fuzzing MariaDB.

Reviewer: Sanja
This commit is contained in:
Daniel Black 2021-08-18 16:07:15 +10:00
parent f73eea4984
commit 0dec71ca53
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
sql/sql_lex.cc
View file

@ -2698,7 +2698,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
prepared statement
*/
Query_arena *arena= thd->stmt_arena;
const uint n_elems= (n_sum_items +
const size_t n_elems= (n_sum_items +
n_child_sum_items +
item_list.elements +
select_n_reserved +
@ -2706,7 +2706,8 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
select_n_where_fields +
order_group_num +
hidden_bit_fields +
fields_in_window_functions) * 5;
fields_in_window_functions) * (size_t) 5;
DBUG_ASSERT(n_elems % 5 == 0);
if (!ref_pointer_array.is_null())
{
/*