Bug #59241 invalid memory read in do_div_mod with doubly assigned variables

Fix: copy my_decimal by value, to avoid dangling pointers.


mysql-test/r/func_math.result:
  New test case.
mysql-test/t/func_math.test:
  New test case.
sql/item_cmpfunc.cc:
  No need to call fix_buffer_pointer() anymore.
sql/item_func.cc:
  Copy my_decimal by value, to avoid dangling pointers.
sql/my_decimal.h:
  Implement proper copy constructor and assignment operator for my_decimal.
sql/sql_analyse.cc:
  No need to call fix_buffer_pointer() anymore.
strings/decimal.c:
  Remove #line directive: it messes up TAGS and it confuses gdb when debugging.

1 files changed, 19 insertions, 2 deletions

diff --git a/sql/my_decimal.h b/sql/my_decimal.h
index e5b1573608a..e2f5c95dac2 100644
--- a/sql/my_decimal.h
+++ b/sql/my_decimal.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2005-2006 MySQL AB
+/* Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -102,6 +102,24 @@ class my_decimal :public decimal_t
 
 public:
 
+  my_decimal(const my_decimal &rhs) : decimal_t(rhs)
+  {
+    for (uint i= 0; i < DECIMAL_BUFF_LENGTH; i++)
+      buffer[i]= rhs.buffer[i];
+    fix_buffer_pointer();
+  }
+
+  my_decimal& operator=(const my_decimal &rhs)
+  {
+    if (this == &rhs)
+      return *this;
+    decimal_t::operator=(rhs);
+    for (uint i= 0; i < DECIMAL_BUFF_LENGTH; i++)
+      buffer[i]= rhs.buffer[i];
+    fix_buffer_pointer();
+    return *this;
+  }
+
   void init()
   {
     len= DECIMAL_BUFF_LENGTH;
@@ -248,7 +266,6 @@ inline
 void my_decimal2decimal(const my_decimal *from, my_decimal *to)
 {
   *to= *from;
-  to->fix_buffer_pointer();
 }