MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0

Due to an integer overflow an invalid size of ref_pointer_array could be allocated. Using size_t allows this continue. Allocation failures are handled gracefully if the value is too big. Thanks to Zuming Jiang for the bug report and fuzzing MariaDB. Reviewer: Sanja
MariaDB · Aug 18, 2021 · 0dec71c · 0dec71c
1 parent f73eea4
commit 0dec71c
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
@@ -2698,15 +2698,16 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
     prepared statement
   */
   Query_arena *arena= thd->stmt_arena;
-  const uint n_elems= (n_sum_items +
+  const size_t n_elems= (n_sum_items +
                        n_child_sum_items +
                        item_list.elements +
                        select_n_reserved +
                        select_n_having_items +
                        select_n_where_fields +
                        order_group_num +
                        hidden_bit_fields +
-                       fields_in_window_functions) * 5;
+                       fields_in_window_functions) * (size_t) 5;
+  DBUG_ASSERT(n_elems % 5 == 0);
   if (!ref_pointer_array.is_null())
   {
     /*