mariadb/bsc1194828.patch

From b69191bbb2278fce92b470e8e3abafe048166e39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20M=C3=A4kel=C3=A4?= <marko.makela@mariadb.com>
Date: Fri, 18 Feb 2022 16:31:54 +0200
Subject: [PATCH] MDEV-26645: Fix UB in Item_func_plus and Item_func_minus

An integer overflow in an expression like a+b or a-b is undefined behavior.
The compiler is allowed to assume that no such overflow is possible,
and optimize away some code accordingly.

Item_func_plus::int_op(), Item_func_minus::int_op(): Always check
for overflow.

Depending on the compiler and the compilation options, a test might fail:

CURRENT_TEST: main.func_math
mysqltest: At line 425: query 'SELECT 9223372036854775807 + 9223372036854775807' succeeded - should have failed with errno 1690...

A similar bug had been fixed earlier in
commit 328edf8560dbf1941ce314fa112e0db05d9f97f1.
---
 sql/item_func.cc | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/sql/item_func.cc b/sql/item_func.cc
index 60efc55d8785c..452bc74cc8215 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -1,5 +1,5 @@
 /* Copyright (c) 2000, 2015, Oracle and/or its affiliates.
-   Copyright (c) 2009, 2021, MariaDB
+   Copyright (c) 2009, 2022, MariaDB
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1163,14 +1163,10 @@ longlong Item_func_plus::int_op()
     }
   }
 
-#ifndef WITH_UBSAN
-  res= val0 + val1;
-#else
   if (res_unsigned)
     res= (longlong) ((ulonglong) val0 + (ulonglong) val1);
   else
-    res= val0+val1;
-#endif /* WITH_UBSAN */
+    res= val0 + val1;
 
   return check_integer_overflow(res, res_unsigned);
 
@@ -1333,14 +1329,10 @@ longlong Item_func_minus::int_op()
         goto err;
     }
   }
-#ifndef WITH_UBSAN
-  res= val0 - val1;
-#else
   if (res_unsigned)
     res= (longlong) ((ulonglong) val0 - (ulonglong) val1);
   else
     res= val0 - val1;
-#endif /* WITH_UBSAN */
 
   return check_integer_overflow(res, res_unsigned);
Accepting request 956810 from home:dspinella:branches:server:database - Update to 10.7.3 (bsc#1196016): * release notes and changelog: https://mariadb.com/kb/en/library/mariadb-1073-release-notes https://mariadb.com/kb/en/library/mariadb-1073-changelog https://mariadb.com/kb/en/library/mariadb-1072-release-notes https://mariadb.com/kb/en/library/mariadb-1072-changelog https://mariadb.com/kb/en/library/mariadb-1071-release-notes https://mariadb.com/kb/en/library/mariadb-1071-changelog https://mariadb.com/kb/en/library/mariadb-1070-release-notes https://mariadb.com/kb/en/library/mariadb-1070-changelog * fixes for the following security vulnerabilities: 10.7.3: CVE-2021-46665 CVE-2021-46664 CVE-2021-46661 CVE-2021-46668 CVE-2021-46663 10.7.2: CVE-2022-24052 CVE-2022-24051 CVE-2022-24050 CVE-2022-24048 CVE-2021-46659, bsc#1195339 10.7.1: none 10.7.0: none - Remove upstreamed patches: * mariadb-10.0.15-logrotate.su.patch * mariadb-10.1.1-mysqld_multi_features.patch - Refresh mariadb-10.2.4-logrotate.patch - Update list of skipped tests - Add bsc1194828.patch to fix build with GCC12, fixes bsc#1194828 - The following issues have already been fixed in this package but weren't OBS-URL: https://build.opensuse.org/request/show/956810 OBS-URL: https://build.opensuse.org/package/show/server:database/mariadb?expand=0&rev=292 2022-02-22 18:01:43 +00:00			`From b69191bbb2278fce92b470e8e3abafe048166e39 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Marko=20M=C3=A4kel=C3=A4?= <marko.makela@mariadb.com>`
			`Date: Fri, 18 Feb 2022 16:31:54 +0200`
			`Subject: [PATCH] MDEV-26645: Fix UB in Item_func_plus and Item_func_minus`

			`An integer overflow in an expression like a+b or a-b is undefined behavior.`
			`The compiler is allowed to assume that no such overflow is possible,`
			`and optimize away some code accordingly.`

			`Item_func_plus::int_op(), Item_func_minus::int_op(): Always check`
			`for overflow.`

			`Depending on the compiler and the compilation options, a test might fail:`

			`CURRENT_TEST: main.func_math`
			`mysqltest: At line 425: query 'SELECT 9223372036854775807 + 9223372036854775807' succeeded - should have failed with errno 1690...`

			`A similar bug had been fixed earlier in`
			`commit 328edf8560dbf1941ce314fa112e0db05d9f97f1.`
			`---`
			`sql/item_func.cc \| 12 ++----------`
			`1 file changed, 2 insertions(+), 10 deletions(-)`

			`diff --git a/sql/item_func.cc b/sql/item_func.cc`
			`index 60efc55d8785c..452bc74cc8215 100644`
			`--- a/sql/item_func.cc`
			`+++ b/sql/item_func.cc`
			`@@ -1,5 +1,5 @@`
			`/* Copyright (c) 2000, 2015, Oracle and/or its affiliates.`
			`- Copyright (c) 2009, 2021, MariaDB`
			`+ Copyright (c) 2009, 2022, MariaDB`

			`This program is free software; you can redistribute it and/or modify`
			`it under the terms of the GNU General Public License as published by`
			`@@ -1163,14 +1163,10 @@ longlong Item_func_plus::int_op()`
			`}`
			`}`

			`-#ifndef WITH_UBSAN`
			`- res= val0 + val1;`
			`-#else`
			`if (res_unsigned)`
			`res= (longlong) ((ulonglong) val0 + (ulonglong) val1);`
			`else`
			`- res= val0+val1;`
			`-#endif /* WITH_UBSAN */`
			`+ res= val0 + val1;`

			`return check_integer_overflow(res, res_unsigned);`

			`@@ -1333,14 +1329,10 @@ longlong Item_func_minus::int_op()`
			`goto err;`
			`}`
			`}`
			`-#ifndef WITH_UBSAN`
			`- res= val0 - val1;`
			`-#else`
			`if (res_unsigned)`
			`res= (longlong) ((ulonglong) val0 - (ulonglong) val1);`
			`else`
			`res= val0 - val1;`
			`-#endif /* WITH_UBSAN */`

			`return check_integer_overflow(res, res_unsigned);`