MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT

abarkov · abarkov · commit ddfa722a03ab · 2019-03-14T14:40:33.000+04:00
diff --git a/mysql-test/r/func_time.result b/mysql-test/r/func_time.result
@@ -3444,5 +3444,11 @@ foo
 Warnings:
 Warning	1292	Truncated incorrect DECIMAL value: '2012-12-12 12:12:12'
 #
+# MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT
+#
+SELECT DATE_FORMAT(100000000000, '%j');
+DATE_FORMAT(100000000000, '%j')
+NULL
+#
 # End of 10.1 tests
 #
diff --git a/mysql-test/t/func_time.test b/mysql-test/t/func_time.test
@@ -1929,6 +1929,13 @@ DROP TABLE t1;
 
 SELECT NULLIF('foo', FROM_UNIXTIME('2012-12-12 12:12:12', TRIM(0)));
 
+--echo #
+--echo # MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT
+--echo #
+
+SELECT DATE_FORMAT(100000000000, '%j');
+
+
 --echo #
 --echo # End of 10.1 tests
 --echo #
diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc
@@ -577,7 +577,7 @@ static bool make_date_time(const LEX_CSTRING &format, MYSQL_TIME *l_time,
 	str->append_with_prefill(intbuff, length, 2, '0');
 	break;
       case 'j':
-	if (type == MYSQL_TIMESTAMP_TIME)
+	if (type == MYSQL_TIMESTAMP_TIME || !l_time->month || !l_time->year)
 	  return 1;
 	length= (uint) (int10_to_str(calc_daynr(l_time->year,l_time->month,
 					l_time->day) - 

Original file line number	Diff line number	Diff line change
`@@ -3444,5 +3444,11 @@ foo`
`3444`	`3444`	`Warnings:`
`3445`	`3445`	`Warning 1292 Truncated incorrect DECIMAL value: '2012-12-12 12:12:12'`
`3446`	`3446`	`#`
	`3447`	`+# MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT`
	`3448`	`+#`
	`3449`	`+SELECT DATE_FORMAT(100000000000, '%j');`
	`3450`	`+DATE_FORMAT(100000000000, '%j')`
	`3451`	`+NULL`
	`3452`	`+#`
`3447`	`3453`	`# End of 10.1 tests`
`3448`	`3454`	`#`