Fix for bug #41868: crash or memory overrun with concat + upper, date_format

functions String::realloc() did not check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer (i.e.alloced == FALSE). This could lead to memory overruns in some cases. mysql-test/r/func_str.result: Added a test case for bug #41868. mysql-test/t/func_str.test: Added a test case for bug #41868. sql/sql_class.cc: After each call to Item::send() in select_send::send_data() reset buffer to its original state to reduce unnecessary malloc() calls. See comments for bug #41868 for detailed analysis. sql/sql_string.cc: Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer.
2025-07-27 18:02:13 +03:00 · 2009-02-03 20:19:01 +03:00
parent ecfdc3560c
commit dfbba6e7fd
5 changed files with 40 additions and 20 deletions
--- a/client/sql_string.cc
+++ b/client/sql_string.cc
@ -72,26 +72,26 @@ bool String::realloc(uint32 alloc_length)
    if (alloced)
    {
      if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
-      {
-	Ptr=new_ptr;
-	Alloced_length=len;
-      }
+        new_ptr[alloc_length]= 0;
      else
-	return TRUE;				// Signal error
+        return TRUE;				// Signal error
    }
    else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
    {
+      if (str_length > len - 1)
+        str_length= 0;
      if (str_length)				// Avoid bugs in memcpy on AIX
-	memcpy(new_ptr,Ptr,str_length);
-      new_ptr[str_length]=0;
-      Ptr=new_ptr;
-      Alloced_length=len;
+        memcpy(new_ptr, Ptr, str_length);
+      new_ptr[str_length]= 0;
      alloced=1;
    }
    else
      return TRUE;			// Signal error
+    Ptr= new_ptr;
+    Alloced_length= len;
  }
-  Ptr[alloc_length]=0;			// This make other funcs shorter
+  else
+    Ptr[alloc_length]= 0;
  return FALSE;
 }