mirror of
https://github.com/MariaDB/server.git
synced 2025-01-27 09:14:17 +01:00
5b940bdcfc
heap-buffer-overflow in _mi_put_key_in_record
Rec buffer size depends on vreclength like this:
length= MY_MAX(length, info->s->vreclength);
The problem is rec buffer is allocated before vreclength is
calculated. The fix reallocates rec buffer if vreclength changed.
1. Rec buffer allocated
f0 mi_alloc_rec_buff (...) at ../src/storage/myisam/mi_open.c:738
f1 0x00005f4928244516 in mi_open (...) at ../src/storage/myisam/mi_open.c:671
f2 0x00005f4928210b98 in ha_myisam::open (...)
at ../src/storage/myisam/ha_myisam.cc:847
f3 0x00005f49273aba41 in handler::ha_open (...) at ../src/sql/handler.cc:3105
f4 0x00005f4927995a65 in open_table_from_share (...)
at ../src/sql/table.cc:4320
f5 0x00005f492769f084 in open_table (...) at ../src/sql/sql_base.cc:2024
f6 0x00005f49276a3ea9 in open_and_process_table (...)
at ../src/sql/sql_base.cc:3819
f7 0x00005f49276a29b8 in open_tables (...) at ../src/sql/sql_base.cc:4303
f8 0x00005f49276a6f3f in open_and_lock_tables (...)
at ../src/sql/sql_base.cc:5250
f9 0x00005f49275162de in open_and_lock_tables (...)
at ../src/sql/sql_base.h:509
f10 0x00005f4927a30d7a in open_only_one_table (...)
at ../src/sql/sql_admin.cc:412
f11 0x00005f4927a2c0c2 in mysql_admin_table (...)
at ../src/sql/sql_admin.cc:603
f12 0x00005f4927a2fda8 in Sql_cmd_optimize_table::execute (...)
at ../src/sql/sql_admin.cc:1517
f13 0x00005f49278102e3 in mysql_execute_command (...)
at ../src/sql/sql_parse.cc:6180
f14 0x00005f49278012d7 in mysql_parse (...) at ../src/sql/sql_parse.cc:8236
2. vreclength calculated
f0 ha_myisam::setup_vcols_for_repair (...)
at ../src/storage/myisam/ha_myisam.cc:1002
f1 0x00005f49282138b4 in ha_myisam::optimize (...)
at ../src/storage/myisam/ha_myisam.cc:1250
f2 0x00005f49273b4961 in handler::ha_optimize (...)
at ../src/sql/handler.cc:4896
f3 0x00005f4927a2d254 in mysql_admin_table (...)
at ../src/sql/sql_admin.cc:875
f4 0x00005f4927a2fda8 in Sql_cmd_optimize_table::execute (...)
at ../src/sql/sql_admin.cc:1517
f5 0x00005f49278102e3 in mysql_execute_command (...)
at ../src/sql/sql_parse.cc:6180
f6 0x00005f49278012d7 in mysql_parse (...) at ../src/sql/sql_parse.cc:8236
FYI backtrace was done with
set print frame-info location
set print frame-arguments presence
set width 80
|
||
|---|---|---|
| .. | ||
| ftbench | ||
| mysql-test | ||
| ChangeLog | ||
| CMakeLists.txt | ||
| ft_boolean_search.c | ||
| ft_myisam.c | ||
| ft_nlq_search.c | ||
| ft_parser.c | ||
| ft_static.c | ||
| ft_stopwords.c | ||
| ft_update.c | ||
| ftdefs.h | ||
| fulltext.h | ||
| ha_myisam.cc | ||
| ha_myisam.h | ||
| mi_cache.c | ||
| mi_changed.c | ||
| mi_check.c | ||
| mi_checksum.c | ||
| mi_close.c | ||
| mi_create.c | ||
| mi_dbug.c | ||
| mi_delete.c | ||
| mi_delete_all.c | ||
| mi_delete_table.c | ||
| mi_dynrec.c | ||
| mi_extra.c | ||
| mi_extrafunc.h | ||
| mi_info.c | ||
| mi_key.c | ||
| mi_keycache.c | ||
| mi_locking.c | ||
| mi_log.c | ||
| mi_open.c | ||
| mi_packrec.c | ||
| mi_page.c | ||
| mi_panic.c | ||
| mi_preload.c | ||
| mi_range.c | ||
| mi_rename.c | ||
| mi_rfirst.c | ||
| mi_rkey.c | ||
| mi_rlast.c | ||
| mi_rnext.c | ||
| mi_rnext_same.c | ||
| mi_rprev.c | ||
| mi_rrnd.c | ||
| mi_rsame.c | ||
| mi_rsamepos.c | ||
| mi_scan.c | ||
| mi_search.c | ||
| mi_static.c | ||
| mi_statrec.c | ||
| mi_test1.c | ||
| mi_test2.c | ||
| mi_test3.c | ||
| mi_test_all.res | ||
| mi_test_all.sh | ||
| mi_unique.c | ||
| mi_update.c | ||
| mi_write.c | ||
| myisam_ftdump.c | ||
| myisamchk.c | ||
| myisamdef.h | ||
| myisamlog.c | ||
| myisampack.c | ||
| NEWS | ||
| rt_index.c | ||
| rt_index.h | ||
| rt_key.c | ||
| rt_key.h | ||
| rt_mbr.c | ||
| rt_mbr.h | ||
| rt_split.c | ||
| rt_test.c | ||
| sort.c | ||
| sp_defs.h | ||
| sp_key.c | ||
| sp_test.c | ||
| test_pack | ||