database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00
Code Activity

Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL

Browse Source 
The buffer was simply too small.
In 5.5 and trunk, the size is 311 + 31,
in 5.1 and below, the size is 331


client/sql_string.cc:
  Increase buffer size in String::set(double, ...)
include/m_string.h:
  Increase FLOATING_POINT_BUFFER
mysql-test/r/type_float.result:
  New test cases.
mysql-test/t/type_float.test:
  New test cases.
sql/sql_string.cc:
  Increase buffer size in String::set(double, ...)
sql/unireg.h:
  Move definition of FLOATING_POINT_BUFFER
This commit is contained in:
Tor Didriksen
2011-07-15 14:07:38 +02:00
parent 8e90c61923
commit cfcd49b467
6 changed files with 44 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
sql/sql_string.cc
View File

@ -117,7 +117,7 @@ bool String::set(ulonglong num, CHARSET_INFO *cs)
bool String::set(double num,uint decimals, CHARSET_INFO *cs)
{
char buff[331];
char buff[FLOATING_POINT_BUFFER];
uint dummy_errors;
str_charset=cs;
@ -186,7 +186,9 @@ end:
#else
#ifdef HAVE_SNPRINTF
buff[sizeof(buff)-1]=0; // Safety
snprintf(buff,sizeof(buff)-1, "%.*f",(int) decimals,num);
int num_chars= snprintf(buff, sizeof(buff)-1, "%.*f",(int) decimals, num);
DBUG_ASSERT(num_chars > 0);
DBUG_ASSERT(num_chars < (int) sizeof(buff));
#else
sprintf(buff,"%.*f",(int) decimals,num);
#endif