Bug #14099846: EXPORT_SET CRASHES DUE TO OVERALLOCATION OF MEMORY

Backport the fix from 5.6 to 5.1 Base bug number : 11765562

Bug #14099846: EXPORT_SET CRASHES DUE TO OVERALLOCATION OF MEMORY
Backport the fix from 5.6 to 5.1 Base bug number : 11765562
00fff1e1 · Chaithra Gopalareddy · e00f8f7f · 00fff1e1
Commit 00fff1e1 authored Aug 05, 2012 by Chaithra Gopalareddy
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 17 deletions

sql/item_strfunc.cc sql/item_strfunc.cc +34 -17

No files found.
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -3047,23 +3047,21 @@ String *Item_load_file::val_str(String *str)
 String* Item_func_export_set::val_str(String* str)
 {
  DBUG_ASSERT(fixed == 1);
-  ulonglong the_set = (ulonglong) args[0]->val_int();
+  String yes_buf, no_buf, sep_buf;
-  String yes_buf, *yes;
+  const ulonglong the_set = (ulonglong) args[0]->val_int();
-  yes = args[1]->val_str(&yes_buf);
+  const String *yes= args[1]->val_str(&yes_buf);
-  String no_buf, *no;
+  const String *no= args[2]->val_str(&no_buf);
-  no = args[2]->val_str(&no_buf);
+  const String *sep= NULL;
-  String *sep = NULL, sep_buf ;
  uint num_set_values = 64;
-  ulonglong mask = 0x1;
  str->length(0);
  str->set_charset(collation.collation);
  /* Check if some argument is a NULL value */
  if (args[0]->null_value || args[1]->null_value || args[2]->null_value)
  {
-    null_value=1;
+    null_value= true;
-    return 0;
+    return NULL;
  }
  /*
    Arg count can only be 3, 4 or 5 here. This is guaranteed from the
@@ -3076,37 +3074,56 @@ String* Item_func_export_set::val_str(String* str)
      num_set_values=64;
    if (args[4]->null_value)
    {
-      null_value=1;
+      null_value= true;
-      return 0;
+      return NULL;
    }
    /* Fall through */
  case 4:
    if (!(sep = args[3]->val_str(&sep_buf)))	// Only true if NULL
    {
-      null_value=1;
+      null_value= true;
-      return 0;
+      return NULL;
    }
    break;
  case 3:
    {
      /* errors is not checked - assume "," can always be converted */
      uint errors;
-      sep_buf.copy(STRING_WITH_LEN(","), &my_charset_bin, collation.collation, &errors);
+      sep_buf.copy(STRING_WITH_LEN(","), &my_charset_bin,
+                   collation.collation, &errors);
      sep = &sep_buf;
    }
    break;
  default:
    DBUG_ASSERT(0); // cannot happen
  }
-  null_value=0;
+  null_value= false;
+  const ulong max_allowed_packet= current_thd->variables.max_allowed_packet;
+  const uint num_separators= num_set_values > 0 ? num_set_values - 1 : 0;
+  const ulonglong max_total_length=
+    num_set_values * max(yes->length(), no->length()) +
+    num_separators * sep->length();
+  if (unlikely(max_total_length > max_allowed_packet))
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_WARN,
+                        ER_WARN_ALLOWED_PACKET_OVERFLOWED,
+                        ER(ER_WARN_ALLOWED_PACKET_OVERFLOWED),
+                        func_name(), max_allowed_packet);
+    null_value= true;
+    return NULL;
+  }
-  for (uint i = 0; i < num_set_values; i++, mask = (mask << 1))
+  uint ix;
+  ulonglong mask;
+  for (ix= 0, mask=0x1; ix < num_set_values; ++ix, mask = (mask << 1))
  {
    if (the_set & mask)
      str->append(*yes);
    else
      str->append(*no);
-    if (i != num_set_values - 1)
+    if (ix != num_separators)
      str->append(*sep);
  }
  return str;