Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug #29723340: MYSQL SERVER CRASH AFTER SQL QUERY WITH DATA ?AST
Description: ============ MySQL server ends abruptly when a SELECT query with WHERE clause having a predicate with a numeric value in the format of (scientific) E-notation is executed. ANALYSIS: ========= my_strntoull10_8bit is invoked to convert user provided string to unsigned longlong integer value. The 'exponent' variable is used to store the value of exponent part of the user provided literal. But the data type of 'exponent' variable is of int, whereas the exponent part of the user provided literal is greater than INT_MAX. Hence it results into garbage value into 'exponent' variable and then it results the segmentation fault, when we access array d10 using this garbage value. SOLUTION: ========= Change the data type variables used for storing the value of exponent to longlong. Also check the value of exponent so that value greater than LLONG_MAX is not processed further. This is a partial backport of the patch for Bug#22824408 FIX MORE ERRORS REPORTED BY UBSAN - FOUR and Bug#28505423 UBSAN: SIGNED INTEGER OVERFLOW IN MY_STRNTOULL10RND_8BIT Change-Id: I773d048496b37d921b3504b1ec61b0a31f24ca77
- Loading branch information