mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-17 04:22:27 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

BUG#22053 - REPAIR table can crash server for some

Browse source 
really damaged MyISAM tables

When unpacking a blob column from broken row server crash
could happen. This could rather happen when trying to repair
a table using either REPAIR TABLE or myisamchk, though it
also could happend when trying to access broken row using
other SQL statements like SELECT if table is not marked as
crashed.

Fixed ulong overflow when trying to extract blob from
broken row.

Affects MyISAM only.
This commit is contained in:
svoj@mysql.com/april.(none) 2006-10-25 15:40:10 +05:00
parent d2fa9fd192
commit cdb8358503
1 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
myisam/mi_dynrec.c
View file

@ -992,9 +992,11 @@ ulong _mi_rec_unpack(register MI_INFO *info, register byte *to, byte *from,
{
uint size_length=rec_length- mi_portable_sizeof_char_ptr;
ulong blob_length=_mi_calc_blob_length(size_length,from);
if ((ulong) (from_end-from) - size_length < blob_length ||
min_pack_length > (uint) (from_end -(from+size_length+blob_length)))
goto err;
ulong from_left= (ulong) (from_end - from);
if (from_left < size_length ||
from_left - size_length < blob_length ||
from_left - size_length - blob_length < min_pack_length)
goto err;
memcpy((byte*) to,(byte*) from,(size_t) size_length);
from+=size_length;
memcpy_fixed((byte*) to+size_length,(byte*) &from,sizeof(char*));