From: Marko Mäkelä <marko.makela@mariadb.com>
Date: Fri, 18 Feb 2022 14:31:54 +0000 (+0200)
Subject: [PATCH] MDEV-26645: Fix UB in Item_func_plus and Item_func_minus
X-Git-Tag: archive/raspbian/1%10.11.8-1+rpi1~1^2^2^2^2^2^2^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=d97e98dee91f8de4b04c8258f8194aeb33ab9d0e;p=mariadb.git

[PATCH] MDEV-26645: Fix UB in Item_func_plus and Item_func_minus

An integer overflow in an expression like a+b or a-b is undefined behavior.
The compiler is allowed to assume that no such overflow is possible,
and optimize away some code accordingly.

Item_func_plus::int_op(), Item_func_minus::int_op(): Always check
for overflow.

Depending on the compiler and the compilation options, a test might fail:

CURRENT_TEST: main.func_math
mysqltest: At line 425: query 'SELECT 9223372036854775807 + 9223372036854775807' succeeded - should have failed with errno 1690...

A similar bug had been fixed earlier in
commit 328edf8560dbf1941ce314fa112e0db05d9f97f1.

This commit was backported from MariaDB 10.9 to Debian with MariaDB 10.6.

Gbp-Pq: Name MDEV-26645-fix-test-main.func_math.patch
---

diff --git a/sql/item_func.cc b/sql/item_func.cc
index ed49733d1..92f6255d9 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -1,5 +1,5 @@
 /* Copyright (c) 2000, 2015, Oracle and/or its affiliates.
-   Copyright (c) 2009, 2021, MariaDB
+   Copyright (c) 2009, 2022, MariaDB
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1156,14 +1156,10 @@ longlong Item_func_plus::int_op()
     }
   }
 
-#ifndef WITH_UBSAN
-  res= val0 + val1;
-#else
   if (res_unsigned)
     res= (longlong) ((ulonglong) val0 + (ulonglong) val1);
   else
-    res= val0+val1;
-#endif /* WITH_UBSAN */
+    res= val0 + val1;
 
   return check_integer_overflow(res, res_unsigned);
 
@@ -1326,14 +1322,10 @@ longlong Item_func_minus::int_op()
         goto err;
     }
   }
-#ifndef WITH_UBSAN
-  res= val0 - val1;
-#else
   if (res_unsigned)
     res= (longlong) ((ulonglong) val0 - (ulonglong) val1);
   else
     res= val0 - val1;
-#endif /* WITH_UBSAN */
 
   return check_integer_overflow(res, res_unsigned);