Bug #26303: Reserve is not called before qs_append().

This may lead to buffer overflow. The String::qs_append() function will append a string without checking if there's enough space. So qs_append() must be called beforehand to ensure there's enough space in the buffer for the subsequent qs_append() calls. Fixed Item_case_expr::print() to make sure there's enough space before appending data by adding a call to String::reserve() to make sure qs_append() will have enough space. mysql-test/r/sp-code.result: Bug #26303: test case mysql-test/t/sp-code.test: Bug #26303: test case sql/item.cc: Bug #26303: added a call to String::reserve() to make sure qs_append will have enough space sql/item.h: Bug #26303: m_case_expr_id made unsigned because it's offset in an array.
2026-01-06 05:22:24 +03:00 · 2007-03-26 12:32:51 +03:00
parent c242662096
commit 9e6a59598c
4 changed files with 40 additions and 3 deletions
--- a/mysql-test/t/sp-code.test
+++ b/mysql-test/t/sp-code.test
@@ -447,3 +447,21 @@ DROP PROCEDURE p1;


 --echo End of 5.0 tests.
+
+#
+# Bug #26303: reserve() not called before qs_append() may lead to buffer
+# overflow
+#
+DELIMITER //;
+CREATE PROCEDURE p1() 
+BEGIN 
+  DECLARE dummy int default 0;
+
+  CASE 12 
+    WHEN 12 
+    THEN SET dummy = 0;
+  END CASE;
+END//
+DELIMITER ;//
+SHOW PROCEDURE CODE p1;
+DROP PROCEDURE p1;