From d58799ed1783479e82312e1b221e39a0697afc8e Mon Sep 17 00:00:00 2001 From: Mattias Jonsson Date: Wed, 20 Nov 2013 13:13:18 +0100 Subject: [PATCH] backport of Bug#17401628 revid:mattias.jonsson@oracle.com-20131119103616-u6t82s8cpgp0q3ex Use of uninitialized memory in the priority queue used for returning records in sorted order. It happens if no previous partition have returned a row since the beginning of index_init + an index_read* call returned HA_ERR_KEY_NOT_FOUND for all partitions (otherwise the record buffer/priority queue would be initialized) + an index_next/prev call where all partitions returns HA_ERR_END_OF_FILE. --- sql/ha_partition.cc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/sql/ha_partition.cc b/sql/ha_partition.cc index bf4ba5ed765..aadac36e2ee 100644 --- a/sql/ha_partition.cc +++ b/sql/ha_partition.cc @@ -5398,7 +5398,7 @@ void ha_partition::return_top_record(uchar *buf) int ha_partition::handle_ordered_index_scan_key_not_found() { int error; - uint i; + uint i, old_elements= m_queue.elements; uchar *part_buf= m_ordered_rec_buffer; uchar *curr_rec_buf= NULL; DBUG_ENTER("ha_partition::handle_ordered_index_scan_key_not_found"); @@ -5433,9 +5433,12 @@ int ha_partition::handle_ordered_index_scan_key_not_found() bitmap_clear_all(&m_key_not_found_partitions); m_key_not_found= false; - /* Update m_top_entry, which may have changed. */ - uchar *key_buffer= queue_top(&m_queue); - m_top_entry= uint2korr(key_buffer); + if (m_queue.elements > old_elements) + { + /* Update m_top_entry, which may have changed. */ + uchar *key_buffer= queue_top(&m_queue); + m_top_entry= uint2korr(key_buffer); + } DBUG_RETURN(0); }