Bug #3447 prepared query, reading negative long value into string buffer error
Submitted: 12 Apr 2004 12:52 Modified: 4 May 2004 13:32
Reporter: Nathaniel Blanchard Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.2 (bitkeeper tree) OS:Linux (Redhat 7.3)
Assigned to: CPU Architecture:Any

[12 Apr 2004 12:52] Nathaniel Blanchard 
Description:
Using a prepared statement, try and read a negative long value out of the database into a string buffer.  In my case, the value being read is a -1.  The number written to the string is the value 18446744073709551516 (-1 cast to an unsigned long long)

How to repeat:
 During the fetch the send_data_long function calls longlong10_to_str, passing in a hard coded 10 for the radix.  This will result in the number always being cast to an unsigned longlong, and therefore you can never return a negative long as a string.  

Suggested fix:
The way I fixed it was to change the call in libmysql.c, send_data_long function to be:

uint length= (uint)(longlong10_to_str(value,(char *)tmp,((value < 0) ? -10 : 10))-tmp);

I didn't do extensive testing on the other field types, but you might want to test converting all mysql field types into a string using the new prepared query api calls and make sure they handle negative values correctly.
[4 May 2004 13:32] Michael Widenius 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

The suggested fix would not work for unsigned variables.
Last week we fixed the protocol to support unsigned integers and I have now fixed send_data_long() to handle signed/unsigned integers.

Fix will be in 4.1.2

Regards,
Monty
[4 May 2004 13:32] Michael Widenius 
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

The suggested fix would not work for unsigned variables.
Last week we fixed the protocol to support unsigned integers and I have now fixed send_data_long() to handle signed/unsigned integers.

Fix will be in 4.1.2

Regards,
Monty