mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-15 19:42:28 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDEV-23895 Server crash, ASAN heap-buffer-overflow or Valgrind Invalid write in Item_func_rpad::val_str

Browse source 
Item_cache_int::val_str() and Item_cache_real::val_str() erroneously
used default_charset(). Fixing to return my_charset_numeric instead.
This commit is contained in:
Alexander Barkov 2024-11-05 12:36:08 +04:00
parent eb41c1171e
commit 7741065936
3 changed files with 43 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
mysql-test/main/ctype_ucs.result
View file

@ -6557,3 +6557,23 @@ c1
#
# End of 10.5 tests
#
#
# Start of 10.6 tests
#
#
# MDEV-23895 Server crash, ASAN heap-buffer-overflow or Valgrind Invalid write in Item_func_rpad::val_str
#
CREATE TABLE t1 (a CHAR(8));
INSERT INTO t1 VALUES ('foo'),('bar');
SET collation_connection= ucs2_danish_ci;
SET last_insert_id=0;
SELECT * FROM t1 WHERE RPAD(a, 50, LAST_INSERT_ID());
a
Warnings:
Warning 1292 Truncated incorrect DOUBLE value: 'foo00000000000000000000000000000000000000000000000'
Warning 1292 Truncated incorrect DOUBLE value: 'bar00000000000000000000000000000000000000000000000'
DROP TABLE t1;
SET names latin1;
#
# End of 10.6 tests
#

21
mysql-test/main/ctype_ucs.test
View file

@ -1239,3 +1239,24 @@ SELECT CAST(CONVERT('-9223372036854775808' USING ucs2) AS SIGNED) AS c1;
--echo #
--echo # End of 10.5 tests
--echo #
--echo #
--echo # Start of 10.6 tests
--echo #
--echo #
--echo # MDEV-23895 Server crash, ASAN heap-buffer-overflow or Valgrind Invalid write in Item_func_rpad::val_str
--echo #
CREATE TABLE t1 (a CHAR(8));
INSERT INTO t1 VALUES ('foo'),('bar');
SET collation_connection= ucs2_danish_ci;
SET last_insert_id=0;
SELECT * FROM t1 WHERE RPAD(a, 50, LAST_INSERT_ID());
DROP TABLE t1;
SET names latin1;
--echo #
--echo # End of 10.6 tests
--echo #

4
sql/item.cc
View file

@ -10372,7 +10372,7 @@ String *Item_cache_int::val_str(String *str)
{
if (!has_value())
return NULL;
str->set_int(value, unsigned_flag, default_charset());
str->set_int(value, unsigned_flag, &my_charset_numeric);
return str;
}
@ -10613,7 +10613,7 @@ String* Item_cache_double::val_str(String *str)
{
if (!has_value())
return NULL;
str->set_real(value, decimals, default_charset());
str->set_real(value, decimals, &my_charset_numeric);
return str;
}