Fixed bug #31019: the MOD() function and the % operator crash the server

when a divisor is less than 1 and its fractional part is very long. For example: 1 % .123456789123456789123456789123456789123456789123456789123456789123456789123456789; Stack buffer overflow has been fixed in the do_div_mod function. strings/decimal.c: Fixed bug #31019. Stack buffer overflow has been fixed in the do_div_mod function: a value of the upper bound of the buffer was increased where a decrement is required. mysql-test/t/type_decimal.test: Added test case for bug #31019. mysql-test/r/type_decimal.result: Added test case for bug #31019.
2026-01-06 05:22:24 +03:00 · 2007-10-08 03:48:59 +05:00
parent a408f34866
commit 60761a7cc6
3 changed files with 16 additions and 1 deletions
--- a/strings/decimal.c
+++ b/strings/decimal.c
@@ -2323,11 +2323,12 @@ static int do_div_mod(decimal_t *from1, decimal_t *from2,
    }
    if (unlikely(intg0+frac0 > to->len))
    {
-      stop1-=to->len-frac0-intg0;
+      stop1-=frac0+intg0-to->len;
      frac0=to->len-intg0;
      to->frac=frac0*DIG_PER_DEC1;
        error=E_DEC_TRUNCATED;
    }
+    DBUG_ASSERT(buf0 + (stop1 - start1) <= to->buf + to->len);
    while (start1 < stop1)
        *buf0++=*start1++;
  }