From c4bf4b7aefcd95b898ea9c8714d09fc1045f304c Mon Sep 17 00:00:00 2001
From: Monty <monty@mariadb.org>
Date: Fri, 15 May 2020 16:15:49 +0300
Subject: Fixed access to undefined memory found by valgrind and MSAN

When my_vsnprintf() is patched, the code protected disabled with
'WAITING_FOR_BUGFIX_TO_VSPRINTF' should be enabled again. Also all %b
formats in this patch should be revert to %s again
---
 extra/replace.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'extra/replace.c')

diff --git a/extra/replace.c b/extra/replace.c
index 0d35c6d0194..7e94bfc36c3 100644
--- a/extra/replace.c
+++ b/extra/replace.c
@@ -64,7 +64,7 @@ typedef struct st_pointer_array {		/* when using array-strings */
 #define LAST_CHAR_CODE	259
 
 typedef struct st_replace {
-  my_bool   found;
+  uint8 found;
   struct st_replace *next[256];
 } REPLACE;
 
@@ -654,7 +654,13 @@ static REPLACE *init_replace(char * *from, char * *to,uint count,
     for (i=1 ; i <= found_sets ; i++)
     {
       pos=from[found_set[i-1].table_offset];
-      rep_str[i].found= (my_bool) (!memcmp(pos,"\\^",3) ? 2 : 1);
+      /*
+        Test if we are matching start of string (\^)
+        We can't use bcmp() here as pos may be only 1 character and
+        that would confuse MSAN.
+      */
+      rep_str[i].found= (uint8) ((pos[0] == '\\' && pos[1] == '^' &&
+                                  pos[2] == 0) ? 2 : 1);
       rep_str[i].replace_string=to_array[found_set[i-1].table_offset];
       rep_str[i].to_offset=found_set[i-1].found_offset-start_at_word(pos);
       rep_str[i].from_offset=found_set[i-1].found_offset-replace_len(pos)+
-- 
cgit v1.2.1