mirror of
https://github.com/MariaDB/server.git
synced 2025-01-23 23:34:34 +01:00
c9a73aa204
This is a backport of the fix for MySQL bug #13723054 in 5.6. Original comment: The crash is caused by arbitrary memory area owerwriting in case of BLOB fields during attempt to copy BLOB field key image into record buffer(record buffer is too small to get BLOB key part image). note: QUICK_GROUP_MIN_MAX_SELECT can not work with BLOB fields because it uses record buffer as temporary buffer for key values however this case is filtered out by covering_keys() check in get_best_group_min_max() as BLOBs always require key length modificator in the key declaration and if the key has a BLOB then it can not be covered key. The fix is to use 'max_used_key_length' key length instead of 0. Analysis: Spcifically the crash in this bug was a result of the call to key_copy() that copied the whole key, inlcuding the BLOB field which is not used for index access. Copying the blob field overwrote memory as far as the function parameter 'key_info'. As a result the contents of key_info was all 0, which resulted in a crash when this key_info was accessed few lines below in key_cmp().
160 lines
4.3 KiB
Text
160 lines
4.3 KiB
Text
create table t1 (USR_ID integer not null, MAX_REQ integer not null, constraint PK_SEA_USER primary key (USR_ID)) engine=InnoDB;
|
|
insert into t1 values (1, 3);
|
|
select count(*) + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ from t1 group by MAX_REQ;
|
|
count(*) + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ + MAX_REQ - MAX_REQ
|
|
1
|
|
select Case When Count(*) < MAX_REQ Then 1 Else 0 End from t1 where t1.USR_ID = 1 group by MAX_REQ;
|
|
Case When Count(*) < MAX_REQ Then 1 Else 0 End
|
|
1
|
|
drop table t1;
|
|
create table t1m (a int) engine=myisam;
|
|
create table t1i (a int) engine=innodb;
|
|
create table t2m (a int) engine=myisam;
|
|
create table t2i (a int) engine=innodb;
|
|
insert into t2m values (5);
|
|
insert into t2i values (5);
|
|
select min(a) from t1m;
|
|
min(a)
|
|
NULL
|
|
select min(7) from t1m;
|
|
min(7)
|
|
NULL
|
|
select min(7) from DUAL;
|
|
min(7)
|
|
7
|
|
explain select min(7) from t2m join t1m;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE NULL NULL NULL NULL NULL NULL NULL Select tables optimized away
|
|
select min(7) from t2m join t1m;
|
|
min(7)
|
|
NULL
|
|
select max(a) from t1m;
|
|
max(a)
|
|
NULL
|
|
select max(7) from t1m;
|
|
max(7)
|
|
NULL
|
|
select max(7) from DUAL;
|
|
max(7)
|
|
7
|
|
explain select max(7) from t2m join t1m;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE NULL NULL NULL NULL NULL NULL NULL Select tables optimized away
|
|
select max(7) from t2m join t1m;
|
|
max(7)
|
|
NULL
|
|
select 1, min(a) from t1m where a=99;
|
|
1 min(a)
|
|
1 NULL
|
|
select 1, min(a) from t1m where 1=99;
|
|
1 min(a)
|
|
1 NULL
|
|
select 1, min(1) from t1m where a=99;
|
|
1 min(1)
|
|
1 NULL
|
|
select 1, min(1) from t1m where 1=99;
|
|
1 min(1)
|
|
1 NULL
|
|
select 1, max(a) from t1m where a=99;
|
|
1 max(a)
|
|
1 NULL
|
|
select 1, max(a) from t1m where 1=99;
|
|
1 max(a)
|
|
1 NULL
|
|
select 1, max(1) from t1m where a=99;
|
|
1 max(1)
|
|
1 NULL
|
|
select 1, max(1) from t1m where 1=99;
|
|
1 max(1)
|
|
1 NULL
|
|
select min(a) from t1i;
|
|
min(a)
|
|
NULL
|
|
select min(7) from t1i;
|
|
min(7)
|
|
NULL
|
|
select min(7) from DUAL;
|
|
min(7)
|
|
7
|
|
explain select min(7) from t2i join t1i;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE t2i ALL NULL NULL NULL NULL 1
|
|
1 SIMPLE t1i ALL NULL NULL NULL NULL 1 Using join buffer
|
|
select min(7) from t2i join t1i;
|
|
min(7)
|
|
NULL
|
|
select max(a) from t1i;
|
|
max(a)
|
|
NULL
|
|
select max(7) from t1i;
|
|
max(7)
|
|
NULL
|
|
select max(7) from DUAL;
|
|
max(7)
|
|
7
|
|
explain select max(7) from t2i join t1i;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE t2i ALL NULL NULL NULL NULL 1
|
|
1 SIMPLE t1i ALL NULL NULL NULL NULL 1 Using join buffer
|
|
select max(7) from t2i join t1i;
|
|
max(7)
|
|
NULL
|
|
select 1, min(a) from t1i where a=99;
|
|
1 min(a)
|
|
1 NULL
|
|
select 1, min(a) from t1i where 1=99;
|
|
1 min(a)
|
|
1 NULL
|
|
select 1, min(1) from t1i where a=99;
|
|
1 min(1)
|
|
1 NULL
|
|
select 1, min(1) from t1i where 1=99;
|
|
1 min(1)
|
|
1 NULL
|
|
select 1, max(a) from t1i where a=99;
|
|
1 max(a)
|
|
1 NULL
|
|
select 1, max(a) from t1i where 1=99;
|
|
1 max(a)
|
|
1 NULL
|
|
select 1, max(1) from t1i where a=99;
|
|
1 max(1)
|
|
1 NULL
|
|
select 1, max(1) from t1i where 1=99;
|
|
1 max(1)
|
|
1 NULL
|
|
explain select count(*), min(7), max(7) from t1m, t1i;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE t1m system NULL NULL NULL NULL 0 const row not found
|
|
1 SIMPLE t1i ALL NULL NULL NULL NULL 1
|
|
select count(*), min(7), max(7) from t1m, t1i;
|
|
count(*) min(7) max(7)
|
|
0 NULL NULL
|
|
explain select count(*), min(7), max(7) from t1m, t2i;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE t1m system NULL NULL NULL NULL 0 const row not found
|
|
1 SIMPLE t2i ALL NULL NULL NULL NULL 1
|
|
select count(*), min(7), max(7) from t1m, t2i;
|
|
count(*) min(7) max(7)
|
|
0 NULL NULL
|
|
explain select count(*), min(7), max(7) from t2m, t1i;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE t2m system NULL NULL NULL NULL 1
|
|
1 SIMPLE t1i ALL NULL NULL NULL NULL 1
|
|
select count(*), min(7), max(7) from t2m, t1i;
|
|
count(*) min(7) max(7)
|
|
0 NULL NULL
|
|
drop table t1m, t1i, t2m, t2i;
|
|
#
|
|
# Bug#13723054 CRASH WITH MIN/MAX AFTER QUICK_GROUP_MIN_MAX_SELECT::NEXT_MIN
|
|
#
|
|
CREATE TABLE t1(a BLOB, b VARCHAR(255) CHARSET LATIN1, c INT,
|
|
KEY(b, c, a(765))) ENGINE=INNODB;
|
|
INSERT INTO t1(a, b, c) VALUES ('', 'a', 0), ('', 'a', null), ('', 'a', 0);
|
|
SELECT MIN(c) FROM t1 GROUP BY b;
|
|
MIN(c)
|
|
0
|
|
EXPLAIN SELECT MIN(c) FROM t1 GROUP BY b;
|
|
id select_type table type possible_keys key key_len ref rows Extra
|
|
1 SIMPLE t1 range NULL b 263 NULL 4 Using index for group-by
|
|
DROP TABLE t1;
|