From 0dec71ca53729bd1a565bdc800e64008b44ffa48 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Wed, 18 Aug 2021 16:07:15 +1000 Subject: [PATCH] MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0 Due to an integer overflow an invalid size of ref_pointer_array could be allocated. Using size_t allows this continue. Allocation failures are handled gracefully if the value is too big. Thanks to Zuming Jiang for the bug report and fuzzing MariaDB. Reviewer: Sanja --- sql/sql_lex.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index eaaa3139c59..b7ed632ed12 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -2698,7 +2698,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num) prepared statement */ Query_arena *arena= thd->stmt_arena; - const uint n_elems= (n_sum_items + + const size_t n_elems= (n_sum_items + n_child_sum_items + item_list.elements + select_n_reserved + @@ -2706,7 +2706,8 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num) select_n_where_fields + order_group_num + hidden_bit_fields + - fields_in_window_functions) * 5; + fields_in_window_functions) * (size_t) 5; + DBUG_ASSERT(n_elems % 5 == 0); if (!ref_pointer_array.is_null()) { /*