From 95df7ea33a7502dd5ff84e5703e85e07d24c81fb Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Thu, 21 Nov 2024 10:01:48 +0400
Subject: [PATCH] MDEV-31881 ASAN: unknown-crash in check_ulonglong
 (sql/sql_analyse.cc) on SELECT ... FROM ... PROCEDURE ANALYSE()

Fixing a wrong condition which made the code read 1 byte behind the buffer.
---
 mysql-test/main/func_analyse.result | 10 ++++++++++
 mysql-test/main/func_analyse.test   |  9 +++++++++
 sql/sql_analyse.cc                  |  2 +-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/func_analyse.result b/mysql-test/main/func_analyse.result
index 1dfdc828793..dc56cf5d7d7 100644
--- a/mysql-test/main/func_analyse.result
+++ b/mysql-test/main/func_analyse.result
@@ -245,5 +245,15 @@ Field_name	Min_value	Max_value	Min_length	Max_length	Empties_or_zeros	Nulls	Avg_
 test.t1.c	1.1	1.3	3	3	0	0	3.0000	NULL	ENUM('1.1','1.3') NOT NULL
 DROP TABLE t1;
 #
+# MDEV-31881 ASAN: unknown-crash in check_ulonglong (sql/sql_analyse.cc) on SELECT ... FROM ... PROCEDURE ANALYSE()
+#
+CREATE TABLE t (a INT, b CHAR(10));
+INSERT INTO t VALUES (0,'0000000000');
+SELECT * FROM t PROCEDURE ANALYSE();
+Field_name	Min_value	Max_value	Min_length	Max_length	Empties_or_zeros	Nulls	Avg_value_or_avg_length	Std	Optimal_fieldtype
+test.t.a	0	0	1	1	1	0	0.0000	0.0000	ENUM('0') NOT NULL
+test.t.b	0000000000	0000000000	10	10	0	0	10.0000	NULL	ENUM('0000000000') NOT NULL
+DROP TABLE t;
+#
 # End of 10.5 tests
 #
diff --git a/mysql-test/main/func_analyse.test b/mysql-test/main/func_analyse.test
index 8afc2ab34a6..f5c027a5283 100644
--- a/mysql-test/main/func_analyse.test
+++ b/mysql-test/main/func_analyse.test
@@ -255,6 +255,15 @@ INSERT INTO t1 VALUES (1.3),(1.1);
 SELECT * FROM t1 PROCEDURE ANALYSE();
 DROP TABLE t1;
 
+--echo #
+--echo # MDEV-31881 ASAN: unknown-crash in check_ulonglong (sql/sql_analyse.cc) on SELECT ... FROM ... PROCEDURE ANALYSE()
+--echo #
+
+CREATE TABLE t (a INT, b CHAR(10));
+INSERT INTO t VALUES (0,'0000000000');
+SELECT * FROM t PROCEDURE ANALYSE();
+DROP TABLE t;
+
 --echo #
 --echo # End of 10.5 tests
 --echo #
diff --git a/sql/sql_analyse.cc b/sql/sql_analyse.cc
index 8dfa1c06d7f..e17c6e190e2 100644
--- a/sql/sql_analyse.cc
+++ b/sql/sql_analyse.cc
@@ -1204,7 +1204,7 @@ uint check_ulonglong(const char *str, uint length)
   const char *long_str = "2147483647", *ulonglong_str = "18446744073709551615";
   const uint long_len = 10, ulonglong_len = 20;
 
-  while (*str == '0' && length)
+  while (length && *str == '0')
   {
     str++; length--;
   }