database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug#52168 decimal casting catastrophes: crashes and valgrind errors on simple casts

Browse Source 
The problem is that if a NULL is stored in an Item_cache_decimal object,
the associated my_decimal object is not initialized.  However, it is still
accessed when val_int() is called. The fix is to check for null_value
within val_int(), and return without accessing the my_decimal object when
the cached value is NULL.

Bug#52122 reports the same issue for val_real(), and this patch also includes
fixes for val_real() and val_str() and corresponding test cases from that
bug report.  

Also, NULL is returned from val_decimal() when value is null. This will
avoid that callers access an uninitialized my_decimal object.

Made similar changes to all other Item_cache classes.  Now all val_*
methods should return a well defined value when actual value is NULL.

mysql-test/r/type_decimal.result:
  Updated result file with test cases for Bug#52168 and Bug#52122.
mysql-test/t/type_decimal.test:
  Added test cases for Bug#52168 and Bug#52122.
sql/item.cc:
  In Item_cache_*::val_* methods, return a well defined value
  when actual value is NULL.
  
  This is especially important for Item_cache_decimal since
  otherwise one risk accessing an uninitialized my_decimal object.
sql/item.h:
  Added method Item_cache::has_value() which returns TRUE if cache 
  object contains a non-null value.
This commit is contained in:
unknown
2010-05-28 17:30:39 +02:00
parent ba36de4f2e
commit 229cc4e191
4 changed files with 96 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
mysql-test/t/type_decimal.test
View File

@ -542,3 +542,44 @@ select max(case 1 when 1 then c else null end) from t1 group by c;
drop table t1;
--echo End of 5.0 tests
#
# Bug#52168 decimal casting catastrophes:
# crashes and valgrind errors on simple casts
#
# Uninitialized read when calling Item_cache_decimal::val_int()
CREATE TABLE t1 (a INTEGER);
INSERT INTO t1 VALUES (NULL);
CREATE TABLE t2 (b INTEGER);
INSERT INTO t2 VALUES (NULL), (NULL);
SELECT b FROM t1 JOIN t2 WHERE CONVERT(a, DECIMAL)|CONVERT(b, DECIMAL);
DROP TABLE t1, t2;
#
# Bug#52122 crash when converting derived table column to decimal
#
CREATE TABLE t1 (col0 INTEGER, col1 REAL);
CREATE TABLE t2 (col0 INTEGER);
INSERT INTO t1 VALUES (0, 0.0), (NULL, NULL);
INSERT INTO t2 VALUES (1);
# Uninitialized read when calling Item_cache_decimal::val_real()
SELECT 1 FROM t1
JOIN
(
SELECT t2.col0 FROM t2 RIGHT JOIN t1 USING(col0)
GROUP BY t2.col0
) AS subq
WHERE t1.col1 + CAST(subq.col0 AS DECIMAL);
# Uninitialized read when calling Item_cache_decimal::val_str()
SELECT 1 FROM t1
JOIN
(
SELECT t2.col0 FROM t2 RIGHT JOIN t1 USING(col0)
GROUP BY t2.col0
) AS subq
WHERE CONCAT(t1.col1, CAST(subq.col0 AS DECIMAL));
DROP TABLE t1, t2;