[Commits] 2042b37: MDEV-8407 Numeric errors, server crash with COLUMN_JSON() on DECIMAL with precision > 40

OleksandrByelkin sanja at mariadb.com
Wed Dec 9 13:32:06 EET 2015


revision-id: 2042b378e112ab5bb252446cc2e36ff35b4519da (mariadb-10.0.22-35-g2042b37)
parent(s): 50160216eab066de7a71dd8e355f0c5cb29c8789
committer: Oleksandr Byelkin
timestamp: 2015-12-09 12:32:06 +0100
message:

MDEV-8407 Numeric errors, server crash with COLUMN_JSON() on DECIMAL with precision > 40

In fact it was error in decimal library (incorrect processing of buffer overflow) invisible from other server parts because of buffer allocation and precision tests.

---
 mysql-test/r/dyncol.result | 40 ++++++++++++++++++++++++++++++++++++++++
 mysql-test/t/dyncol.test   | 17 +++++++++++++++++
 strings/decimal.c          |  3 ++-
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/dyncol.result b/mysql-test/r/dyncol.result
index 62e3b1c..1d1a36c 100644
--- a/mysql-test/r/dyncol.result
+++ b/mysql-test/r/dyncol.result
@@ -1820,5 +1820,45 @@ SELECT COLUMN_JSON(COLUMN_CREATE('a',1,'b','1'));
 COLUMN_JSON(COLUMN_CREATE('a',1,'b','1'))
 {"a":1,"b":"1"}
 #
+# MDEV-8407: Numeric errors, server crash with COLUMN_JSON() on
+# DECIMAL with precision > 40  
+#
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345));
+COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345))
+{"x":0.12345678901234567890123456789012345}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456));
+COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456))
+{"x":0.123456789012345678901234567890123456}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567));
+COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678));
+COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789));
+COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890));
+COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678901));
+COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678901))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789012));
+COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789012))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890123));
+COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890123))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678901234));
+COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678901234))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789012345));
+COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789012345))
+{"x":0.1234567890123456789012345678901234567}
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890123467));
+COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890123467))
+{"x":0.1234567890123456789012345678901234567}
+#
 # end of 10.0 tests
 #
diff --git a/mysql-test/t/dyncol.test b/mysql-test/t/dyncol.test
index ac55fec..7226834 100644
--- a/mysql-test/t/dyncol.test
+++ b/mysql-test/t/dyncol.test
@@ -884,5 +884,22 @@ SELECT COLUMN_JSON(COLUMN_CREATE('a',0,'b','1'));
 SELECT COLUMN_JSON(COLUMN_CREATE('a',1,'b','1'));
 
 --echo #
+--echo # MDEV-8407: Numeric errors, server crash with COLUMN_JSON() on
+--echo # DECIMAL with precision > 40  
+--echo #
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678901));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789012));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890123));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.12345678901234567890123456789012345678901234));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.123456789012345678901234567890123456789012345));
+SELECT COLUMN_JSON(COLUMN_CREATE('x', 0.1234567890123456789012345678901234567890123467));
+
+--echo #
 --echo # end of 10.0 tests
 --echo #
diff --git a/strings/decimal.c b/strings/decimal.c
index da47727b..e37a53e 100644
--- a/strings/decimal.c
+++ b/strings/decimal.c
@@ -383,7 +383,8 @@ int decimal2string(const decimal_t *from, char *to, int *to_len,
     }
     else
       frac-=j;
-    len= from->sign + intg_len + MY_TEST(frac) + frac_len;
+    frac_len= frac;
+    len= from->sign + intg_len + MY_TEST(frac) + frac;
   }
   *to_len=len;
   s[len]=0;


More information about the commits mailing list