Fix for bug #41868: crash or memory overrun with concat + upper,

                    date_format functions

String::realloc() did not check whether the existing string data fits in
the newly allocated buffer for cases when reallocating a String object
with external buffer (i.e.alloced == FALSE).  This could lead to memory
overruns in some cases.

client/sql_string.cc:
  Fixed String::realloc() to check whether the existing string data fits
  in the newly allocated buffer for cases when reallocating a String
  object with external buffer.
mysql-test/r/func_str.result:
  Added a test case for bug #41868.
mysql-test/t/func_str.test:
  Added a test case for bug #41868.
sql/sql_class.cc:
  After each call to Item::send() in select_send::send_data() reset
  buffer to its original state to reduce unnecessary malloc() calls. See
  comments for bug #41868 for detailed analysis.
sql/sql_string.cc:
  Fixed String::realloc() to check whether the existing string data fits
  in the newly allocated buffer for cases when reallocating a String
  object with external buffer.

1 files changed, 9 insertions, 0 deletions

diff --git a/mysql-test/t/func_str.test b/mysql-test/t/func_str.test
index 8298a50c277..389538c4cc0 100644
--- a/mysql-test/t/func_str.test
+++ b/mysql-test/t/func_str.test
@@ -1159,4 +1159,13 @@ select format(a, 2) from t1;
 --disable_metadata
 drop table t1;
 
+#
+# Bug #41868: crash or memory overrun with concat + upper, date_format functions
+#
+
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+DROP TABLE t1;
+
 --echo End of 5.0 tests