database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-29108 RANDOM_BYTES - assertion in Create_tmp_table::finalize

Browse Source 
Setting max_length to a negative value in Item_func_random_bytes::fix_length_and_dec
underflowed resulting in debug optimizer assertion.

Also set the maximium to 1024 rather than MAX_BLOB_WIDTH because
we aren't going to return more than that.
This commit is contained in:
Daniel Black
2022-07-19 14:01:17 +10:00
committed by Sergei Golubchik
parent a95268c5b3
commit 7f06f68108
3 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
mysql-test/main/func_str.result
View File

@ -5319,5 +5319,13 @@ ERROR 22003: length value is out of range in 'random_bytes('res')'
SELECT random_bytes('test');
ERROR 22003: length value is out of range in 'random_bytes('test')'
#
# MDEV-29108: RANDOM_BYTES - assertion in Create_tmp_table::finalize
#
CREATE TABLE t (a INT);
INSERT INTO t VALUES (1),(2);
SELECT RANDOM_BYTES(-10) f1, IFNULL(a,1) f2 FROM t GROUP BY f1, f2;
ERROR 22003: length value is out of range in 'random_bytes(-10)'
DROP TABLE t;
#
# End of 10.10 tests
#

12
mysql-test/main/func_str.test
View File

@ -2247,6 +2247,18 @@ SELECT random_bytes('res');
--error 1690
SELECT random_bytes('test');
--echo #
--echo # MDEV-29108: RANDOM_BYTES - assertion in Create_tmp_table::finalize
--echo #
CREATE TABLE t (a INT);
INSERT INTO t VALUES (1),(2);
--error 1690
SELECT RANDOM_BYTES(-10) f1, IFNULL(a,1) f2 FROM t GROUP BY f1, f2;
# Cleanup
DROP TABLE t;
--echo #
--echo # End of 10.10 tests
--echo #

10
sql/item_strfunc.cc
View File

@ -1478,15 +1478,17 @@ String *Item_func_sformat::val_str(String *res)
#include <openssl/rand.h>
#include <openssl/err.h>
static const int MAX_RANDOM_BYTES= 1024;
bool Item_func_random_bytes::fix_length_and_dec(THD *thd)
{
used_tables_cache|= RAND_TABLE_BIT;
if (args[0]->can_eval_in_optimize())
{
max_length= MY_MIN((int32) args[0]->val_int(), MAX_BLOB_WIDTH);
max_length= MY_MAX(0, MY_MIN((int32) args[0]->val_int(), MAX_RANDOM_BYTES));
return false;
}
max_length= MAX_BLOB_WIDTH;
max_length= MAX_RANDOM_BYTES;
return false;
}
@ -1506,7 +1508,7 @@ String *Item_func_random_bytes::val_str(String *str)
goto err;
null_value= 0;
if (count < 1 || count > 1024)
if (count < 1 || count > MAX_RANDOM_BYTES)
{
char buf[256];
String msg(buf, sizeof(buf), system_charset_info);
@ -1531,7 +1533,7 @@ String *Item_func_random_bytes::val_str(String *str)
}
return make_empty_result(str);
}
return str;
err: