Commit 12b8fb96 authored by Tor Didriksen's avatar Tor Didriksen

Bug#57209 valgrind + Assertion failed: dst > buf

Buffer overrun when trying to format DBL_MAX


mysql-test/r/func_math.result:
  Add test case for Bug#57209
mysql-test/t/func_math.test:
  Add test case for Bug#57209
sql/item_strfunc.cc:
  Allocate a larger buffer for the result.
parent 0fe0e6b5
......@@ -600,3 +600,10 @@ NULL
SELECT -9223372036854775808 MOD -1;
-9223372036854775808 MOD -1
0
#
# Bug #57209 valgrind + Assertion failed: dst > buf
#
SELECT floor(log10(format(concat_ws(5445796E25, 5306463, 30837), -358821)))
as foo;
foo
2
......@@ -458,3 +458,9 @@ SELECT 2 DIV -2;
SELECT -(1 DIV 0);
# Crashed the server with SIGFPE before the bugfix
SELECT -9223372036854775808 MOD -1;
--echo #
--echo # Bug #57209 valgrind + Assertion failed: dst > buf
--echo #
SELECT floor(log10(format(concat_ws(5445796E25, 5306463, 30837), -358821)))
as foo;
......@@ -2299,7 +2299,8 @@ String *Item_func_format::val_str_ascii(String *str)
if (lc->grouping[0] > 0 &&
str_length >= dec_length + 1 + lc->grouping[0])
{
char buf[DECIMAL_MAX_STR_LENGTH * 2]; /* 2 - in the worst case when grouping=1 */
/* We need space for ',' between each group of digits as well. */
char buf[2 * FLOATING_POINT_BUFFER];
int count;
const char *grouping= lc->grouping;
char sign_length= *str->ptr() == '-' ? 1 : 0;
......@@ -2323,7 +2324,7 @@ String *Item_func_format::val_str_ascii(String *str)
count will be initialized to -1 and
we'll never get into this "if" anymore.
*/
if (!count)
if (count == 0)
{
*--dst= lc->thousand_sep;
if (grouping[1])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment