database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-33468: Crash due to missing stack overrun check in two recursive functions

Browse Source 
Thanks to Yury Chaikou for finding this problem (and the fix).

Reviewed-by: Monty <monty@mariadb.org>
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
This commit is contained in:
Kristian Nielsen
2024-02-15 10:41:23 +01:00
parent fdaa7a96ed
commit 5707f1efda
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
sql/item.cc
View File

@ -27,6 +27,7 @@
#include "sp_rcontext.h" #include "sp_rcontext.h"
#include "sp_head.h" #include "sp_head.h"
#include "sql_trigger.h" #include "sql_trigger.h"
#include "sql_parse.h"
#include "sql_select.h" #include "sql_select.h"
#include "sql_show.h" // append_identifier #include "sql_show.h" // append_identifier
#include "sql_view.h" // VIEW_ANY_SQL #include "sql_view.h" // VIEW_ANY_SQL
@ -485,7 +486,10 @@ void Item::print_parenthesised(String *str, enum_query_type query_type,
bool need_parens= precedence() < parent_prec; bool need_parens= precedence() < parent_prec;
if (need_parens) if (need_parens)
str->append('('); str->append('(');
print(str, query_type); if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
str->append("<STACK OVERRUN>");
else
print(str, query_type);
if (need_parens) if (need_parens)
str->append(')'); str->append(')');
} }

6
sql/sql_select.cc
View File

@ -17662,6 +17662,12 @@ Item_cond::remove_eq_conds(THD *thd, Item::cond_result *cond_value,
bool and_level= functype() == Item_func::COND_AND_FUNC; bool and_level= functype() == Item_func::COND_AND_FUNC;
List<Item> *cond_arg_list= argument_list(); List<Item> *cond_arg_list= argument_list();
if (check_stack_overrun(thd, STACK_MIN_SIZE, NULL))
{
*cond_value= Item::COND_FALSE;
return (COND*) 0; // Fatal error flag is set!
}
if (and_level) if (and_level)
{ {
/* /*