mirror of
https://github.com/MariaDB/server.git
synced 2025-01-26 08:44:33 +01:00
Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY
Extra fix: 'if (p5 < p5_a + P5A_MAX)' is not portable. p5 starts out pointing to a static array, then may point to a buffer on the stack, then may point to malloc()ed memory.
This commit is contained in:
parent
d27d267ee7
commit
f9b064a406
1 changed files with 9 additions and 5 deletions
|
@ -1009,6 +1009,7 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
|
|||
Bigint *b1, *p5, *p51=NULL;
|
||||
int i;
|
||||
static int p05[3]= { 5, 25, 125 };
|
||||
my_bool overflow= FALSE;
|
||||
|
||||
if ((i= k & 3))
|
||||
b= multadd(b, p05[i-1], 0, alloc);
|
||||
|
@ -1027,16 +1028,19 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
|
|||
if (!(k>>= 1))
|
||||
break;
|
||||
/* Calculate next power of 5 */
|
||||
if (p5 < p5_a + P5A_MAX)
|
||||
++p5;
|
||||
else if (p5 == p5_a + P5A_MAX)
|
||||
p5= mult(p5, p5, alloc);
|
||||
else
|
||||
if (overflow)
|
||||
{
|
||||
p51= mult(p5, p5, alloc);
|
||||
Bfree(p5, alloc);
|
||||
p5= p51;
|
||||
}
|
||||
else if (p5 < p5_a + P5A_MAX)
|
||||
++p5;
|
||||
else if (p5 == p5_a + P5A_MAX)
|
||||
{
|
||||
p5= mult(p5, p5, alloc);
|
||||
overflow= TRUE;
|
||||
}
|
||||
}
|
||||
if (p51)
|
||||
Bfree(p51, alloc);
|
||||
|
|
Loading…
Add table
Reference in a new issue