MDEV-33468: Crash due to missing stack overrun check in two recursive functions

Thanks to Yury Chaikou for finding this problem (and the fix). Reviewed-by: Monty <monty@mariadb.org> Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>

MDEV-33468: Crash due to missing stack overrun check in two recursive functions
Thanks to Yury Chaikou for finding this problem (and the fix). Reviewed-by: Monty <monty@mariadb.org> Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
5707f1ef · Kristian Nielsen · fdaa7a96 · 5707f1ef · 5707f1ef
Commit 5707f1ef authored Feb 15, 2024 by Kristian Nielsen
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

sql/item.cc sql/item.cc +5 -1

sql/sql_select.cc sql/sql_select.cc +6 -0

No files found.
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -27,6 +27,7 @@
 #include "sp_rcontext.h"
 #include "sp_head.h"
 #include "sql_trigger.h"
+#include "sql_parse.h"
 #include "sql_select.h"
 #include "sql_show.h"                           // append_identifier
 #include "sql_view.h"                           // VIEW_ANY_SQL
@@ -485,7 +486,10 @@ void Item::print_parenthesised(String *str, enum_query_type query_type,
  bool need_parens= precedence() < parent_prec;
  if (need_parens)
    str->append('(');
-  print(str, query_type);
+  if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
+    str->append("<STACK OVERRUN>");
+  else
+    print(str, query_type);
  if (need_parens)
    str->append(')');
 }

--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -17662,6 +17662,12 @@ Item_cond::remove_eq_conds(THD *thd, Item::cond_result *cond_value,
  bool and_level= functype() == Item_func::COND_AND_FUNC;
  List<Item> *cond_arg_list= argument_list();

+  if (check_stack_overrun(thd, STACK_MIN_SIZE, NULL))
+  {
+    *cond_value= Item::COND_FALSE;
+    return (COND*) 0;                           // Fatal error flag is set!
+  }
+
  if (and_level)
  {
    /*