MDEV-32755 Stack-Buffer-Overflow at /mariadb-11.3.0/strings/int2str.c:122

The buffer ans[65] in Item_func_conv::val_str() was too small. Fixing it to ans[66]. Thanks to Kristian Nielsen for the analysis.
2025-08-08 11:22:35 +03:00 · 2024-11-13 14:27:12 +04:00
parent ccb6cd8053
commit 25be7da202
3 changed files with 39 additions and 1 deletions
--- a/mysql-test/main/func_str.test
+++ b/mysql-test/main/func_str.test
@@ -2421,6 +2421,24 @@ SELECT DISTINCT CONVERT((LPAD(e, -1) AND e) USING utf8) FROM t;
 DROP TABLE t;
 SET sql_mode=DEFAULT;

+--echo #
+--echo # MDEV-32755 Stack-Buffer-Overflow at /mariadb-11.3.0/strings/int2str.c:122
+--echo #
+
+CREATE TABLE t0 ( c55 INT , c38 INT ) ;
+INSERT INTO t0 VALUES ( -54 , -27 ) , ( -107 , -62 ) ;
+CREATE INDEX i0 ON t0 ( c38 ) ;
+INSERT INTO t0 ( c55 ) VALUES ( 43 ) , ( 77 ) ;
+SELECT t0 . c55 AS c47 FROM
+( SELECT c15 AS c40 FROM
+  ( SELECT c55 AS c15 FROM t0 ) AS t1
+  JOIN t0 ON t1.c15 = t1.c15 SOUNDS LIKE + CONV ( -2919286674558440404 , -17 , -2 ) ) AS t2
+  JOIN t0 ON t0.c38 = t0.c38;
+DROP TABLE t0;
+
+SELECT CONV(-29223372036854775809, -10, 18446744073709551614);
+SELECT CONV(1<<63, 10, -2);
+
 --echo #
 --echo # End of 10.6 tests
 --echo #