From a6145f4b62bd264ad32d2dade98eda0cc6de0dba Mon Sep 17 00:00:00 2001 From: Tor Didriksen Date: Fri, 14 Oct 2011 10:09:53 +0200 Subject: Bug#12563865 ROUNDED,TMP_BUF,DECIMAL_VALUE STACK CORRUPTION IN ALL VERSIONS >=5.0 Buffer over-run on all platforms, crash on windows, wrong result on other platforms, when rounding numbers which start with 999999999 and have precision = 9 or 18 or 27 or 36 ... mysql-test/r/type_newdecimal.result: New test cases. mysql-test/t/type_newdecimal.test: New test cases. sql/my_decimal.h: Add sanity checking code, to catch buffer over/under-run. strings/decimal.c: The original initialization of intg1 (add 1 if buf[0] == DIG_MAX) will set p1 to point outside the buffer, and the loop to copy the original value while (buf0 < p0) *(--p1) = *(--p0); will overwrite memory outside the my_decimal object. --- sql/my_decimal.h | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) (limited to 'sql/my_decimal.h') diff --git a/sql/my_decimal.h b/sql/my_decimal.h index 6a0d05921ec..ee023438f20 100644 --- a/sql/my_decimal.h +++ b/sql/my_decimal.h @@ -86,12 +86,31 @@ inline int my_decimal_int_part(uint precision, uint decimals) class my_decimal :public decimal_t { + /* + Several of the routines in strings/decimal.c have had buffer + overrun/underrun problems. These are *not* caught by valgrind. + To catch them, we allocate dummy fields around the buffer, + and test that their values do not change. + */ +#if !defined(DBUG_OFF) + int foo1; +#endif + decimal_digit_t buffer[DECIMAL_BUFF_LENGTH]; +#if !defined(DBUG_OFF) + int foo2; + static const int test_value= 123; +#endif + public: void init() { +#if !defined(DBUG_OFF) + foo1= test_value; + foo2= test_value; +#endif len= DECIMAL_BUFF_LENGTH; buf= buffer; #if !defined (HAVE_purify) && !defined(DBUG_OFF) @@ -104,6 +123,17 @@ public: { init(); } + ~my_decimal() + { + sanity_check(); + } + + void sanity_check() + { + DBUG_ASSERT(foo1 == test_value); + DBUG_ASSERT(foo2 == test_value); + } + void fix_buffer_pointer() { buf= buffer; } bool sign() const { return decimal_t::sign; } -- cgit v1.2.1 From d26aefb0775048128495eaab151ee4118f8f7afd Mon Sep 17 00:00:00 2001 From: Michael Widenius Date: Thu, 24 Nov 2011 16:04:19 +0200 Subject: Fixes for build failuers found by buildbot mysql-test/mysql-test-run.pl: Rename MYSQLD -> MYSQLD_SIMPLE_CMD to avoid conflict with new MYSQLD variable from MySQL 5.1 mysql-test/r/innodb_file_format.result: Remove old duplicated test mysql-test/suite/pbxt/r/endspace.result: Update test to last version mysql-test/suite/pbxt/r/heap.result: Removed heap test (not part of pbxt) mysql-test/suite/pbxt/r/select_safe.result: Updated results after error message change mysql-test/suite/pbxt/r/view_grant.result: Removed view test (not part of pbxt) mysql-test/suite/pbxt/t/endspace.test: Update test to last version mysql-test/suite/pbxt/t/heap.test: Removed heap test (not part of pbxt) mysql-test/suite/pbxt/t/view_grant.test: Removed view test (not part of pbxt) mysql-test/t/innodb_file_format.test: Remove old duplicated test mysql-test/t/mysqld_option_err.test: Use renamed variable sql/my_decimal.h: Fixed wrong define storage/maria/ma_loghandler.c: Fixed compiler warning --- sql/my_decimal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/my_decimal.h') diff --git a/sql/my_decimal.h b/sql/my_decimal.h index 72692e54d35..845aecb972c 100644 --- a/sql/my_decimal.h +++ b/sql/my_decimal.h @@ -99,7 +99,7 @@ class my_decimal :public decimal_t To catch them, we allocate dummy fields around the buffer, and test that their values do not change. */ -#if !defined(DBUG_OFF) && defined(HAVE_valgrind) +#if !defined(DBUG_OFF) int foo1; #endif -- cgit v1.2.1