database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00
Code Activity

Fix for bug #41868: crash or memory overrun with concat + upper,

Browse Source 
date_format functions

String::realloc() did not check whether the existing string data fits in
the newly allocated buffer for cases when reallocating a String object
with external buffer (i.e.alloced == FALSE).  This could lead to memory
overruns in some cases.
This commit is contained in:
Alexey Kopytov
2009-02-10 15:38:56 +03:00
parent 6a834d1f4f
commit a715b70278
5 changed files with 32 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
sql/sql_string.cc
View File

@ -71,25 +71,22 @@ bool String::realloc(uint32 alloc_length)
char *new_ptr;
if (alloced)
{
if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
{
Ptr=new_ptr;
Alloced_length=len;
}
else
return TRUE; // Signal error
if (!(new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
return TRUE; // Signal error
}
else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
{
if (str_length > len - 1)
str_length= 0;
if (str_length) // Avoid bugs in memcpy on AIX
memcpy(new_ptr,Ptr,str_length);
new_ptr[str_length]=0;
Ptr=new_ptr;
Alloced_length=len;
alloced=1;
}
else
return TRUE; // Signal error
Ptr= new_ptr;
Alloced_length= len;
}
Ptr[alloc_length]=0; // This make other funcs shorter
return FALSE;