Fixed access to undefined memory

alloc_query() is examined the content of it's argument, which was uninitalized. Fixed by storing stmt_id in llbuf, according to code comments.
MariaDB · Mar 28, 2021 · 8e2d69f · 8e2d69f
1 parent 80459bc
commit 8e2d69f
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
@@ -3414,15 +3414,17 @@ static void mysql_stmt_execute_common(THD *thd,
   if (!(stmt= find_prepared_statement(thd, stmt_id)))
   {
     char llbuf[22];
+    size_t length;
     /*
       Did not find the statement with the provided stmt_id.
       Set thd->query_string with the stmt_id so the
       audit plugin gets the meaningful notification.
     */
-    if (alloc_query(thd, llbuf, sizeof(llbuf)))
+    length= (size_t) (longlong10_to_str(stmt_id, llbuf, 10) - llbuf);
+    if (alloc_query(thd, llbuf, length + 1))
       thd->set_query(0, 0);
-    my_error(ER_UNKNOWN_STMT_HANDLER, MYF(0), static_cast<int>(sizeof(llbuf)),
-             llstr(stmt_id, llbuf), "mysqld_stmt_execute");
+    my_error(ER_UNKNOWN_STMT_HANDLER, MYF(0), (int) length, llbuf,
+             "mysqld_stmt_execute");
     DBUG_VOID_RETURN;
   }