From 63a6af328594a48b9ea930d17088c739a2ebe4c8 Mon Sep 17 00:00:00 2001 From: Tor Didriksen Date: Thu, 21 Aug 2014 16:42:04 +0200 Subject: Bug#18928848 II. MALLOC OF UNINITIALIZED MEMORY SIZE Several string functions have optimizations for constant sub-expressions which lead to setting max_length == 0. For subqueries, where we need a temporary table to holde the result, we need to ensure that we use a VARCHAR(0) column rather than a CHAR(0) column when such expressions take part in grouping. With CHAR(0) end_update() may write garbage into the next field. --- sql/item.cc | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/sql/item.cc b/sql/item.cc index 10ba48ab1c8..96f15b92a54 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -5241,7 +5241,7 @@ bool Item::eq_by_collation(Item *item, bool binary_cmp, CHARSET_INFO *cs) If max_length > CONVERT_IF_BIGGER_TO_BLOB create a blob @n If max_length > 0 create a varchar @n - If max_length == 0 create a CHAR(0) + If max_length == 0 create a CHAR(0) (or VARCHAR(0) if we are grouping) @param table Table for which the field is created */ @@ -5259,8 +5259,19 @@ Field *Item::make_string_field(TABLE *table) field= new Field_varstring(max_length, maybe_null, name, table->s, collation.collation); else - field= new Field_string(max_length, maybe_null, name, - collation.collation); + { + /* + marker == 4 : see create_tmp_table() + With CHAR(0) end_update() may write garbage into the next field. + */ + if (max_length == 0 && marker == 4 && maybe_null && + field_type() == MYSQL_TYPE_VAR_STRING && type() != Item::TYPE_HOLDER) + field= new Field_varstring(max_length, maybe_null, name, table->s, + collation.collation); + else + field= new Field_string(max_length, maybe_null, name, + collation.collation); + } if (field) field->init(table); return field; -- cgit v1.2.1