mirror of
https://github.com/MariaDB/server.git
synced 2025-01-27 01:04:19 +01:00
82ab92bd66
The crash is caused by macro uint3korr() accessing memory (1 byte) past the end of allocated page. The macro is written such it reads 4 bytes instead of 3 and discards the value of the last byte. However, it is not always guaranteed that all uint3korr accesses will be valid (i.e that the caller allocates an extra byte after the value). In particular, the tree in Item_func_group_concat does not account for any extra bytes that it would need for comparison of keys in some cases (Field_newdate::cmp, Field_medium::cmp) The fix change uint3korr so it does not access extra bytes.
87 lines
4.1 KiB
C
87 lines
4.1 KiB
C
/* Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved.
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1307 USA */
|
|
|
|
/*
|
|
Optimized function-like macros for the x86 architecture (_WIN32 included).
|
|
*/
|
|
#define sint2korr(A) (*((const int16 *) (A)))
|
|
#define sint3korr(A) ((int32) ((((uchar) (A)[2]) & 128) ? \
|
|
(((uint32) 255L << 24) | \
|
|
(((uint32) (uchar) (A)[2]) << 16) |\
|
|
(((uint32) (uchar) (A)[1]) << 8) | \
|
|
((uint32) (uchar) (A)[0])) : \
|
|
(((uint32) (uchar) (A)[2]) << 16) |\
|
|
(((uint32) (uchar) (A)[1]) << 8) | \
|
|
((uint32) (uchar) (A)[0])))
|
|
#define sint4korr(A) (*((const long *) (A)))
|
|
#define uint2korr(A) (*((const uint16 *) (A)))
|
|
#define uint3korr(A) (uint32) (((uint32) ((uchar) (A)[0])) +\
|
|
(((uint32) ((uchar) (A)[1])) << 8) +\
|
|
(((uint32) ((uchar) (A)[2])) << 16))
|
|
#define uint4korr(A) (*((const uint32 *) (A)))
|
|
#define uint5korr(A) ((ulonglong)(((uint32) ((uchar) (A)[0])) +\
|
|
(((uint32) ((uchar) (A)[1])) << 8) +\
|
|
(((uint32) ((uchar) (A)[2])) << 16) +\
|
|
(((uint32) ((uchar) (A)[3])) << 24)) +\
|
|
(((ulonglong) ((uchar) (A)[4])) << 32))
|
|
#define uint6korr(A) ((ulonglong)(((uint32) ((uchar) (A)[0])) + \
|
|
(((uint32) ((uchar) (A)[1])) << 8) + \
|
|
(((uint32) ((uchar) (A)[2])) << 16) + \
|
|
(((uint32) ((uchar) (A)[3])) << 24)) + \
|
|
(((ulonglong) ((uchar) (A)[4])) << 32) + \
|
|
(((ulonglong) ((uchar) (A)[5])) << 40))
|
|
#define uint8korr(A) (*((const ulonglong *) (A)))
|
|
#define sint8korr(A) (*((const longlong *) (A)))
|
|
|
|
#define int2store(T,A) *((uint16*) (T))= (uint16) (A)
|
|
#define int3store(T,A) do { *(T)= (uchar) ((A));\
|
|
*(T+1)=(uchar) (((uint) (A) >> 8));\
|
|
*(T+2)=(uchar) (((A) >> 16));\
|
|
} while (0)
|
|
#define int4store(T,A) *((long *) (T))= (long) (A)
|
|
#define int5store(T,A) do { *(T)= (uchar)((A));\
|
|
*((T)+1)=(uchar) (((A) >> 8));\
|
|
*((T)+2)=(uchar) (((A) >> 16));\
|
|
*((T)+3)=(uchar) (((A) >> 24));\
|
|
*((T)+4)=(uchar) (((A) >> 32));\
|
|
} while(0)
|
|
#define int6store(T,A) do { *(T)= (uchar)((A)); \
|
|
*((T)+1)=(uchar) (((A) >> 8)); \
|
|
*((T)+2)=(uchar) (((A) >> 16)); \
|
|
*((T)+3)=(uchar) (((A) >> 24)); \
|
|
*((T)+4)=(uchar) (((A) >> 32)); \
|
|
*((T)+5)=(uchar) (((A) >> 40)); \
|
|
} while(0)
|
|
#define int8store(T,A) *((ulonglong *) (T))= (ulonglong) (A)
|
|
typedef union {
|
|
double v;
|
|
long m[2];
|
|
} doubleget_union;
|
|
#define doubleget(V,M) \
|
|
do { doubleget_union _tmp; \
|
|
_tmp.m[0] = *((const long*)(M)); \
|
|
_tmp.m[1] = *(((const long*) (M))+1); \
|
|
(V) = _tmp.v; } while(0)
|
|
#define doublestore(T,V) \
|
|
do { *((long *) T) = ((const doubleget_union *)&V)->m[0]; \
|
|
*(((long *) T)+1) = ((const doubleget_union *)&V)->m[1]; \
|
|
} while (0)
|
|
#define float4get(V,M) \
|
|
do { *((float *) &(V)) = *((const float*) (M)); } while(0)
|
|
#define float8get(V,M) doubleget((V),(M))
|
|
#define float4store(V,M) memcpy((uchar*)(V), (uchar*)(&M), sizeof(float))
|
|
#define floatstore(T,V) memcpy((uchar*)(T), (uchar*)(&V), sizeof(float))
|
|
#define floatget(V,M) memcpy((uchar*)(&V),(uchar*) (M), sizeof(float))
|
|
#define float8store(V,M) doublestore((V),(M))
|