From 25be7da2024902dab7f048dd5e6c3418ea3c92f3 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Wed, 13 Nov 2024 14:27:12 +0400
Subject: [PATCH] MDEV-32755 Stack-Buffer-Overflow at
 /mariadb-11.3.0/strings/int2str.c:122

The buffer ans[65] in Item_func_conv::val_str() was too small.
Fixing it to ans[66].
Thanks to Kristian Nielsen for the analysis.
---
 mysql-test/main/func_str.result | 20 ++++++++++++++++++++
 mysql-test/main/func_str.test   | 18 ++++++++++++++++++
 sql/item_strfunc.cc             |  2 +-
 3 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/func_str.result b/mysql-test/main/func_str.result
index bcc9721d146..90c8de420f2 100644
--- a/mysql-test/main/func_str.result
+++ b/mysql-test/main/func_str.result
@@ -5377,5 +5377,25 @@ NULL
 DROP TABLE t;
 SET sql_mode=DEFAULT;
 #
+# MDEV-32755 Stack-Buffer-Overflow at /mariadb-11.3.0/strings/int2str.c:122
+#
+CREATE TABLE t0 ( c55 INT , c38 INT ) ;
+INSERT INTO t0 VALUES ( -54 , -27 ) , ( -107 , -62 ) ;
+CREATE INDEX i0 ON t0 ( c38 ) ;
+INSERT INTO t0 ( c55 ) VALUES ( 43 ) , ( 77 ) ;
+SELECT t0 . c55 AS c47 FROM
+( SELECT c15 AS c40 FROM
+( SELECT c55 AS c15 FROM t0 ) AS t1
+JOIN t0 ON t1.c15 = t1.c15 SOUNDS LIKE + CONV ( -2919286674558440404 , -17 , -2 ) ) AS t2
+JOIN t0 ON t0.c38 = t0.c38;
+c47
+DROP TABLE t0;
+SELECT CONV(-29223372036854775809, -10, 18446744073709551614);
+CONV(-29223372036854775809, -10, 18446744073709551614)
+-1000000000000000000000000000000000000000000000000000000000000000
+SELECT CONV(1<<63, 10, -2);
+CONV(1<<63, 10, -2)
+-1000000000000000000000000000000000000000000000000000000000000000
+#
 # End of 10.6 tests
 #
diff --git a/mysql-test/main/func_str.test b/mysql-test/main/func_str.test
index 9735019c132..8fe2892b1e3 100644
--- a/mysql-test/main/func_str.test
+++ b/mysql-test/main/func_str.test
@@ -2421,6 +2421,24 @@ SELECT DISTINCT CONVERT((LPAD(e, -1) AND e) USING utf8) FROM t;
 DROP TABLE t;
 SET sql_mode=DEFAULT;
 
+--echo #
+--echo # MDEV-32755 Stack-Buffer-Overflow at /mariadb-11.3.0/strings/int2str.c:122
+--echo #
+
+CREATE TABLE t0 ( c55 INT , c38 INT ) ;
+INSERT INTO t0 VALUES ( -54 , -27 ) , ( -107 , -62 ) ;
+CREATE INDEX i0 ON t0 ( c38 ) ;
+INSERT INTO t0 ( c55 ) VALUES ( 43 ) , ( 77 ) ;
+SELECT t0 . c55 AS c47 FROM
+( SELECT c15 AS c40 FROM
+  ( SELECT c55 AS c15 FROM t0 ) AS t1
+  JOIN t0 ON t1.c15 = t1.c15 SOUNDS LIKE + CONV ( -2919286674558440404 , -17 , -2 ) ) AS t2
+  JOIN t0 ON t0.c38 = t0.c38;
+DROP TABLE t0;
+
+SELECT CONV(-29223372036854775809, -10, 18446744073709551614);
+SELECT CONV(1<<63, 10, -2);
+
 --echo #
 --echo # End of 10.6 tests
 --echo #
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 15821ad530a..7d47d524ec2 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -3520,7 +3520,7 @@ String *Item_func_conv::val_str(String *str)
 {
   DBUG_ASSERT(fixed());
   String *res= args[0]->val_str(str);
-  char *endptr,ans[65],*ptr;
+  char *endptr,ans[66],*ptr;
   longlong dec;
   int from_base= (int) args[1]->val_int();
   int to_base= (int) args[2]->val_int();