MDEV-22751 Uninitialized tbl_len in dict_acquire_mdl_shared()

A crash was observed where dict_acquire_mdl_shared<trylock=false> would invoke memcpy() with an apparently uninitialized tbl_len. dict_table_t::parse_name(): Remove an unnecessary tbl_len-- operation. (This should be mostly non-functional cleanup.) dict_acquire_mdl_shared(): If the second dict_table_t::parse_name() returns false, terminate the loop just like we would do on the first invocation.
2025-01-30 18:41:56 +01:00 · 2020-05-29 16:49:10 +03:00 · 2020-05-29 16:49:10 +03:00 · 39dc461662
commit 39dc461662
parent 58f3f692b9
1 changed files with 11 additions and 2 deletions
--- a/storage/innobase/dict/dict0dict.cc
+++ b/storage/innobase/dict/dict0dict.cc
@ -749,7 +749,6 @@ bool dict_table_t::parse_name(char (&db_name)[NAME_LEN + 1],

  size_t tbl_len= strlen(name.m_name + db_len);
  memcpy(tbl_buf, name.m_name + db_len + 1, tbl_len);
-  tbl_len--;
  if (!dict_locked)
    mutex_exit(&dict_sys.mutex);

@ -883,7 +882,17 @@ is_unaccessible:

  size_t db1_len, tbl1_len;

-  table->parse_name<!trylock>(db_buf1, tbl_buf1, &db1_len, &tbl1_len);
+  if (!table->parse_name<!trylock>(db_buf1, tbl_buf1, &db1_len, &tbl1_len))
+  {
+    /* The table was renamed to #sql prefix.
+    Release MDL (if any) for the old name and return. */
+    if (*mdl)
+    {
+      mdl_context->release_lock(*mdl);
+      *mdl= nullptr;
+    }
+    return table;
+  }

  if (*mdl)
  {