From b1009ddfc9ea0c2f013d4789d3e3d7b3a13bc239 Mon Sep 17 00:00:00 2001
From: Monty <monty@mariadb.org>
Date: Mon, 7 Jun 2021 18:15:39 +0300
Subject: [PATCH] MDEV-25778 Overrun buffer in to_string_native()

Problem was that str->alloc(length) needed a buffer of length+1 as
decimals2string() will add an end null.
---
 mysql-test/main/strings.result | 9 +++++++++
 mysql-test/main/strings.test   | 9 +++++++++
 sql/my_decimal.cc              | 2 +-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/mysql-test/main/strings.result b/mysql-test/main/strings.result
index 7b71b593a97..1653812fb77 100644
--- a/mysql-test/main/strings.result
+++ b/mysql-test/main/strings.result
@@ -8,3 +8,12 @@ CHANGE MASTER TO master_user='user',master_password='pwd';
 ERROR HY000: \042D\0442\0443 \043E\043F\0435\0440\0430\0446\0438\044E \043D\0435\0432\043E\0437\043C\043E\0436\043D\043E \0432\044B\043F\043E\043B\043D\0438\0442\044C \043F\0440\0438 \0440\0430\0431\043E\0442\0430\044E\0449\0435\043C \043F\043E\0442\043E\043A\0435 \043F\043E\0434\0447\0438\043D\0435\043D\043D\043E\0433\043E \0441\0435\0440\0432\0435\0440\0430 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 STOP SLAVE;
 RESET SLAVE ALL;
+#
+# MDEV-25778 Overrun buffer in to_string_native()
+#
+CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
+INSERT INTO t1 (a) VALUES (0.1),(0.2);
+SELECT length(ENCRYPT(a)) AS f, COUNT(*) FROM t1 GROUP BY f;
+f	COUNT(*)
+13	2
+DROP TABLE t1;
diff --git a/mysql-test/main/strings.test b/mysql-test/main/strings.test
index 33ac6b116d5..7daa764afea 100644
--- a/mysql-test/main/strings.test
+++ b/mysql-test/main/strings.test
@@ -15,3 +15,12 @@ START SLAVE sql_thread;
 CHANGE MASTER TO master_user='user',master_password='pwd';
 STOP SLAVE;
 RESET SLAVE ALL;
+
+--echo #
+--echo # MDEV-25778 Overrun buffer in to_string_native()
+--echo #
+
+CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
+INSERT INTO t1 (a) VALUES (0.1),(0.2);
+SELECT length(ENCRYPT(a)) AS f, COUNT(*) FROM t1 GROUP BY f;
+DROP TABLE t1;
diff --git a/sql/my_decimal.cc b/sql/my_decimal.cc
index ac86ff71b64..54b038ccb2d 100644
--- a/sql/my_decimal.cc
+++ b/sql/my_decimal.cc
@@ -115,7 +115,7 @@ int my_decimal::to_string_native(String *str, uint fixed_prec, uint fixed_dec,
                ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1)
                : my_decimal_string_length(this));
   int result;
-  if (str->alloc(length))
+  if (str->alloc(length+1))                     // Alloc also space for \0
     return check_result(mask, E_DEC_OOM);
   result= decimal2string(this, (char*) str->ptr(),
                          &length, (int)fixed_prec, fixed_dec,