Bug#12406055 BUFFER OVERFLOW OF VARIABLE 'BUFF' IN STRING::SET_REAL

The buffer was simply too small. In 5.5 and trunk, the size is 311 + 31, in 5.1 and below, the size is 331
author: Tor Didriksen <tor.didriksen@oracle.com> 2011-07-15 14:07:38 +0200
committer: Tor Didriksen <tor.didriksen@oracle.com> 2011-07-15 14:07:38 +0200
commit: cfe3489b9577f9736f115c6f4d21055274cf509b (patch)
tree: 5f91199b06f3efec177a65cf2102fda39e2b97c5 /client
parent: 4c7a22477e932964b40d85b4f643983b29e13bf9 (diff)
download: mariadb-git-cfe3489b9577f9736f115c6f4d21055274cf509b.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/client/sql_string.cc b/client/sql_string.cc
index c9443f68e9c..0c89e1d0bca 100644
--- a/client/sql_string.cc
+++ b/client/sql_string.cc
@@ -119,7 +119,7 @@ bool String::set(ulonglong num, CHARSET_INFO *cs)
 
 bool String::set(double num,uint decimals, CHARSET_INFO *cs)
 {
-  char buff[331];
+  char buff[FLOATING_POINT_BUFFER];
   uint dummy_errors;
 
   str_charset=cs;
@@ -188,7 +188,9 @@ end:
 #else
 #ifdef HAVE_SNPRINTF
   buff[sizeof(buff)-1]=0;			// Safety
-  snprintf(buff,sizeof(buff)-1, "%.*f",(int) decimals,num);
+  int num_chars= snprintf(buff, sizeof(buff)-1, "%.*f",(int) decimals, num);
+  DBUG_ASSERT(num_chars > 0);
+  DBUG_ASSERT(num_chars < (int) sizeof(buff));
 #else
   sprintf(buff,"%.*f",(int) decimals,num);
 #endif
author	Tor Didriksen <tor.didriksen@oracle.com>	2011-07-15 14:07:38 +0200
committer	Tor Didriksen <tor.didriksen@oracle.com>	2011-07-15 14:07:38 +0200
commit	cfe3489b9577f9736f115c6f4d21055274cf509b (patch)
tree	5f91199b06f3efec177a65cf2102fda39e2b97c5 /client
parent	4c7a22477e932964b40d85b4f643983b29e13bf9 (diff)
download	mariadb-git-cfe3489b9577f9736f115c6f4d21055274cf509b.tar.gz