[MDEV-23105] Cast number string with many leading zeros to decimal gives unexpected result - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5, 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.1.48, 10.2.35, 10.3.26, 10.4.16, 10.5.7
Component/s: Data types
Labels:
None

Description

Casting numeric representing decimal value string with many leading
zeros into MySQL database gives an unexpected value. For example query:

"SELECT
CAST(0000000000000000000000000000000000000000000000000000000000000000000000000000000020.01
AS DECIMAL(15,2)) as val;"

gives value 9999999999999.99

The bug appears when input string is longer than 83 symbols and is
present in newest MySQL 8.0, maybe in its older version and in MariaDB
also. "83" limit seems to be related to the DECIMAL_MAX_STR_LENGTH
constant from MySQL C sources, when input string is longer than that
constant, MySQL sets resulted value to maximal decimal value with given
precision.

It could be dangerous in many case, for for example for online financial
services that use MySQL. A malicious persons could use this bug for
getting big amount of money on its account by entering sum with many
leading zeros.

Attachments

Activity

People

Assignee:: Alexander Barkov

Reporter:: Sergey Lebedev

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2020-07-06 21:14

Updated:: 2020-10-06 18:52

Resolved:: 2020-08-06 04:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.