database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL

Browse Source 
The buffer was simply too small.
In 5.5 and trunk, the size is 311 + 31,
in 5.1 and below, the size is 331
This commit is contained in:
Tor Didriksen
2011-07-15 14:07:38 +02:00
parent 4c7a22477e
commit cfe3489b95
6 changed files with 44 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
client/sql_string.cc
View File

@ -119,7 +119,7 @@ bool String::set(ulonglong num, CHARSET_INFO *cs)
bool String::set(double num,uint decimals, CHARSET_INFO *cs)
{
char buff[331];
char buff[FLOATING_POINT_BUFFER];
uint dummy_errors;
str_charset=cs;
@ -188,7 +188,9 @@ end:
#else
#ifdef HAVE_SNPRINTF
buff[sizeof(buff)-1]=0; // Safety
snprintf(buff,sizeof(buff)-1, "%.*f",(int) decimals,num);
int num_chars= snprintf(buff, sizeof(buff)-1, "%.*f",(int) decimals, num);
DBUG_ASSERT(num_chars > 0);
DBUG_ASSERT(num_chars < (int) sizeof(buff));
#else
sprintf(buff,"%.*f",(int) decimals,num);
#endif