From ccbc24b45a79b6407487550fa19b40752d22fa7f Mon Sep 17 00:00:00 2001 From: "Tatiana A. Nurnberg" Date: Thu, 11 Nov 2010 09:46:49 +0000 Subject: Bug#55436: buffer overflow in debug binary of dbug_buff in Field_new_decimal::store_value There were some misunderstandings about parameters pertaining to buffer-size. Patches fixes the reported off by one and clarifies the documentation. mysql-test/r/type_newdecimal.result: add test mysql-test/t/type_newdecimal.test: add test sql/field.cc: adjust buffer size by one to account for terminator. sql/my_decimal.cc: adjust buffer size by one to account for terminator. clarify needs in comments. sql/my_decimal.h: clarify buffer-size needs to prevent future off-by-one bugs. strings/decimal.c: clarify buffer-size needs and parameters to prevent future off-by-one bugs --- sql/my_decimal.cc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'sql/my_decimal.cc') diff --git a/sql/my_decimal.cc b/sql/my_decimal.cc index 3aa01880b83..a38dc341684 100644 --- a/sql/my_decimal.cc +++ b/sql/my_decimal.cc @@ -95,10 +95,11 @@ int my_decimal2string(uint mask, const my_decimal *d, UNSIGNED. Hence the buffer for a ZEROFILLed value is the length the user requested, plus one for a possible decimal point, plus one if the user only wanted decimal places, but we force a leading - zero on them. Because the type is implicitly UNSIGNED, we do not - need to reserve a character for the sign. For all other cases, - fixed_prec will be 0, and my_decimal_string_length() will be called - instead to calculate the required size of the buffer. + zero on them, plus one for the '\0' terminator. Because the type + is implicitly UNSIGNED, we do not need to reserve a character for + the sign. For all other cases, fixed_prec will be 0, and + my_decimal_string_length() will be called instead to calculate the + required size of the buffer. */ int length= (fixed_prec ? (fixed_prec + ((fixed_prec == fixed_dec) ? 1 : 0) + 1) @@ -275,7 +276,7 @@ print_decimal_buff(const my_decimal *dec, const uchar* ptr, int length) const char *dbug_decimal_as_string(char *buff, const my_decimal *val) { - int length= DECIMAL_MAX_STR_LENGTH; + int length= DECIMAL_MAX_STR_LENGTH + 1; /* minimum size for buff */ if (!val) return "NULL"; (void)decimal2string((decimal_t*) val, buff, &length, 0,0,0); -- cgit v1.2.1 From 44135d4725dd3ad6d331c60b0bab1618472b8ae4 Mon Sep 17 00:00:00 2001 From: Kent Boortz Date: Thu, 30 Jun 2011 17:31:31 +0200 Subject: Updated/added copyright headers --- sql/my_decimal.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sql/my_decimal.cc') diff --git a/sql/my_decimal.cc b/sql/my_decimal.cc index a235edbd73c..6b65924255c 100644 --- a/sql/my_decimal.cc +++ b/sql/my_decimal.cc @@ -1,4 +1,5 @@ -/* Copyright (C) 2005-2006 MySQL AB +/* Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc. + Use is subject to license terms. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -11,7 +12,7 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include "mysql_priv.h" #include -- cgit v1.2.1