Fix for bug #41868: crash or memory overrun with concat + upper,

date_format functions String::realloc() did not check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer (i.e.alloced == FALSE). This could lead to memory overruns in some cases. client/sql_string.cc: Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer. mysql-test/r/func_str.result: Added a test case for bug #41868. mysql-test/t/func_str.test: Added a test case for bug #41868. sql/sql_class.cc: After each call to Item::send() in select_send::send_data() reset buffer to its original state to reduce unnecessary malloc() calls. See comments for bug #41868 for detailed analysis. sql/sql_string.cc: Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer.
2026-05-09 00:24:30 +02:00 · 2009-02-10 15:38:56 +03:00 · 2009-02-10 15:38:56 +03:00 · fd8bf58ca9
commit fd8bf58ca9
parent ecfdc3560c
5 changed files with 32 additions and 18 deletions
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@ -1047,6 +1047,11 @@ bool select_send::send_data(List<Item> &items)
      my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
      break;
    }
+    /*
+      Reset buffer to its original state, as it may have been altered in
+      Item::send().
+    */
+    buffer.set(buff, sizeof(buff), &my_charset_bin);
  }
  thd->sent_row_count++;
  if (!thd->vio_ok())