MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0

Due to an integer overflow an invalid size of ref_pointer_array could be allocated. Using size_t allows this continue. Allocation failures are handled gracefully if the value is too big. Thanks to Zuming Jiang for the bug report and fuzzing MariaDB. Reviewer: Sanja

MDEV-26350: select_lex->ref_pointer_array.size() % 5 == 0
Due to an integer overflow an invalid size of ref_pointer_array could be allocated. Using size_t allows this continue. Allocation failures are handled gracefully if the value is too big. Thanks to Zuming Jiang for the bug report and fuzzing MariaDB. Reviewer: Sanja
0dec71ca · Daniel Black · f73eea49 · 0dec71ca
Commit 0dec71ca authored Aug 18, 2021 by Daniel Black
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

sql/sql_lex.cc sql/sql_lex.cc +3 -2

No files found.
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -2698,7 +2698,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
    prepared statement
  */
  Query_arena *arena= thd->stmt_arena;
-  const uint n_elems= (n_sum_items +
+  const size_t n_elems= (n_sum_items +
                       n_child_sum_items +
                       item_list.elements +
                       select_n_reserved +
@@ -2706,7 +2706,8 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
                       select_n_where_fields +
                       order_group_num +
                       hidden_bit_fields +
-                       fields_in_window_functions) * 5;
+                       fields_in_window_functions) * (size_t) 5;
+  DBUG_ASSERT(n_elems % 5 == 0);
  if (!ref_pointer_array.is_null())
  {
    /*