Fix for bug #41868: crash or memory overrun with concat + upper, date_format

functions String::realloc() did not check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer (i.e.alloced == FALSE). This could lead to memory overruns in some cases. mysql-test/r/func_str.result: Added a test case for bug #41868. mysql-test/t/func_str.test: Added a test case for bug #41868. sql/sql_class.cc: After each call to Item::send() in select_send::send_data() reset buffer to its original state to reduce unnecessary malloc() calls. See comments for bug #41868 for detailed analysis. sql/sql_string.cc: Fixed String::realloc() to check whether the existing string data fits in the newly allocated buffer for cases when reallocating a String object with external buffer.
2025-12-03 05:41:09 +03:00 · 2009-02-03 20:19:01 +03:00
parent ecfdc3560c
commit dfbba6e7fd
5 changed files with 40 additions and 20 deletions
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -1047,6 +1047,11 @@ bool select_send::send_data(List<Item> &items)
      my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
      break;
    }
+    /*
+      Reset buffer to its original state, as it may have been altered in
+      Item::send().
+    */
+    buffer.set(buff, sizeof(buff), &my_charset_bin);
  }
  thd->sent_row_count++;
  if (!thd->vio_ok())