From c8d7a31f35bc988362ec07c2e2520a0dc511eebe Mon Sep 17 00:00:00 2001
From: Tor Didriksen <tor.didriksen@oracle.com>
Date: Fri, 8 Oct 2010 11:52:09 +0200
Subject: [PATCH] Bug#57209 valgrind + Assertion failed: dst > buf

Buffer overrun when trying to format DBL_MAX


mysql-test/r/func_math.result:
  Add test case for Bug#57209
mysql-test/t/func_math.test:
  Add test case for Bug#57209
sql/item_strfunc.cc:
  Allocate a larger buffer for the result.
---
 mysql-test/r/func_math.result | 7 +++++++
 mysql-test/t/func_math.test   | 6 ++++++
 sql/item_strfunc.cc           | 5 +++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/mysql-test/r/func_math.result b/mysql-test/r/func_math.result
index 307f1714132..bfb3af0afff 100644
--- a/mysql-test/r/func_math.result
+++ b/mysql-test/r/func_math.result
@@ -600,3 +600,10 @@ NULL
 SELECT -9223372036854775808 MOD -1;
 -9223372036854775808 MOD -1
 0
+#
+# Bug #57209 valgrind + Assertion failed: dst > buf 
+#
+SELECT floor(log10(format(concat_ws(5445796E25, 5306463, 30837), -358821)))
+as foo;
+foo
+2
diff --git a/mysql-test/t/func_math.test b/mysql-test/t/func_math.test
index 44af2f5ad3f..efdf7201a40 100644
--- a/mysql-test/t/func_math.test
+++ b/mysql-test/t/func_math.test
@@ -458,3 +458,9 @@ SELECT 2 DIV -2;
 SELECT -(1 DIV 0);
 # Crashed the server with SIGFPE before the bugfix
 SELECT -9223372036854775808 MOD -1;
+
+--echo #
+--echo # Bug #57209 valgrind + Assertion failed: dst > buf 
+--echo #
+SELECT floor(log10(format(concat_ws(5445796E25, 5306463, 30837), -358821)))
+as foo;
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 6d3514bf356..89c1e785c71 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -2299,7 +2299,8 @@ String *Item_func_format::val_str_ascii(String *str)
   if (lc->grouping[0] > 0 &&
       str_length >= dec_length + 1 + lc->grouping[0])
   {
-    char buf[DECIMAL_MAX_STR_LENGTH * 2]; /* 2 - in the worst case when grouping=1 */
+    /* We need space for ',' between each group of digits as well. */
+    char buf[2 * FLOATING_POINT_BUFFER];
     int count;
     const char *grouping= lc->grouping;
     char sign_length= *str->ptr() == '-' ? 1 : 0;
@@ -2323,7 +2324,7 @@ String *Item_func_format::val_str_ascii(String *str)
         count will be initialized to -1 and
         we'll never get into this "if" anymore.
       */
-      if (!count)
+      if (count == 0)
       {
         *--dst= lc->thousand_sep;
         if (grouping[1])