MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT

2019-03-14 14:40:33 +04:00 · 2019-03-14 14:40:33 +04:00 · ddfa722a03
commit ddfa722a03
parent 49c49e630b
3 changed files with 14 additions and 1 deletions
--- a/mysql-test/r/func_time.result
+++ b/mysql-test/r/func_time.result
@ -3444,5 +3444,11 @@ foo
 Warnings:
 Warning	1292	Truncated incorrect DECIMAL value: '2012-12-12 12:12:12'
 #
+# MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT
+#
+SELECT DATE_FORMAT(100000000000, '%j');
+DATE_FORMAT(100000000000, '%j')
+NULL
+#
 # End of 10.1 tests
 #
--- a/mysql-test/t/func_time.test
+++ b/mysql-test/t/func_time.test
@ -1929,6 +1929,13 @@ DROP TABLE t1;

 SELECT NULLIF('foo', FROM_UNIXTIME('2012-12-12 12:12:12', TRIM(0)));

+--echo #
+--echo # MDEV-18626 ASAN stack-buffer-overflow in int10_to_str / make_date_time upon DATE_FORMAT
+--echo #
+
+SELECT DATE_FORMAT(100000000000, '%j');
+
+
 --echo #
 --echo # End of 10.1 tests
 --echo #
--- a/sql/item_timefunc.cc
+++ b/sql/item_timefunc.cc
@ -577,7 +577,7 @@ static bool make_date_time(const LEX_CSTRING &format, MYSQL_TIME *l_time,
 	str->append_with_prefill(intbuff, length, 2, '0');
 	break;
      case 'j':
-	if (type == MYSQL_TIMESTAMP_TIME)
+	if (type == MYSQL_TIMESTAMP_TIME || !l_time->month || !l_time->year)
 	  return 1;
 	length= (uint) (int10_to_str(calc_daynr(l_time->year,l_time->month,
 					l_time->day) -