MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_tim…

…e upon DATE_FORMAT
MariaDB · Mar 14, 2019 · ddfa722 · ddfa722
1 parent 49c49e6
commit ddfa722
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/mysql-test/r/func_time.result b/mysql-test/r/func_time.result
@@ -3444,5 +3444,11 @@ foo
 Warnings:
 Warning	1292	Truncated incorrect DECIMAL value: '2012-12-12 12:12:12'
 #
+# MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT
+#
+SELECT DATE_FORMAT(100000000000, '%j');
+DATE_FORMAT(100000000000, '%j')
+NULL
+#
 # End of 10.1 tests
 #
diff --git a/mysql-test/t/func_time.test b/mysql-test/t/func_time.test
@@ -1929,6 +1929,13 @@ DROP TABLE t1;
 
 SELECT NULLIF('foo', FROM_UNIXTIME('2012-12-12 12:12:12', TRIM(0)));
 
+--echo #
+--echo # MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT
+--echo #
+
+SELECT DATE_FORMAT(100000000000, '%j');
+
+
 --echo #
 --echo # End of 10.1 tests
 --echo #
diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc
@@ -577,7 +577,7 @@ static bool make_date_time(const LEX_CSTRING &format, MYSQL_TIME *l_time,
 	str->append_with_prefill(intbuff, length, 2, '0');
 	break;
       case 'j':
-	if (type == MYSQL_TIMESTAMP_TIME)
+	if (type == MYSQL_TIMESTAMP_TIME || !l_time->month || !l_time->year)
 	  return 1;
 	length= (uint) (int10_to_str(calc_daynr(l_time->year,l_time->month,
 					l_time->day) -