Commit d9f48df3 authored by Tor Didriksen's avatar Tor Didriksen

Bug#12985030 SIMPLE QUERY WITH DECIMAL NUMBERS LEAKS MEMORY

Extra fix: 'if (p5 < p5_a + P5A_MAX)' is not portable.
p5 starts out pointing to a static array, then may point
to a buffer on the stack, then may point to malloc()ed memory.
parent a5f8796e
...@@ -1009,6 +1009,7 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc) ...@@ -1009,6 +1009,7 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
Bigint *b1, *p5, *p51=NULL; Bigint *b1, *p5, *p51=NULL;
int i; int i;
static int p05[3]= { 5, 25, 125 }; static int p05[3]= { 5, 25, 125 };
my_bool overflow= FALSE;
if ((i= k & 3)) if ((i= k & 3))
b= multadd(b, p05[i-1], 0, alloc); b= multadd(b, p05[i-1], 0, alloc);
...@@ -1027,16 +1028,19 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc) ...@@ -1027,16 +1028,19 @@ static Bigint *pow5mult(Bigint *b, int k, Stack_alloc *alloc)
if (!(k>>= 1)) if (!(k>>= 1))
break; break;
/* Calculate next power of 5 */ /* Calculate next power of 5 */
if (p5 < p5_a + P5A_MAX) if (overflow)
++p5;
else if (p5 == p5_a + P5A_MAX)
p5= mult(p5, p5, alloc);
else
{ {
p51= mult(p5, p5, alloc); p51= mult(p5, p5, alloc);
Bfree(p5, alloc); Bfree(p5, alloc);
p5= p51; p5= p51;
} }
else if (p5 < p5_a + P5A_MAX)
++p5;
else if (p5 == p5_a + P5A_MAX)
{
p5= mult(p5, p5, alloc);
overflow= TRUE;
}
} }
if (p51) if (p51)
Bfree(p51, alloc); Bfree(p51, alloc);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment