Fix for bug #32241: memory corruption due to large index map in 'Range

checked for each record' The problem was in incorrectly calculated length of the buffer used to store a hexadecimal representation of an index map in select_describe(). This could result in buffer overrun and stack corruption under some circumstances. Fixed by correcting the calculation. mysql-test/r/explain.result: Added a test case for bug #32241. mysql-test/t/explain.test: Added a test case for bug #32241. sql/sql_select.cc: Corrected the buffer length calculation. Count one hex digit as 4 bits, not 8.
2025-08-01 03:47:19 +03:00 · 2007-11-16 13:58:09 +03:00
parent f668665955
commit 1c1dd1f25c
3 changed files with 50 additions and 1 deletions
--- a/mysql-test/r/explain.result
+++ b/mysql-test/r/explain.result
@ -87,3 +87,23 @@ Warnings:
 Note	1003	select '1' AS `f1`,'1' AS `f2` from `test`.`t1` having 1
 drop view v1;
 drop table t1;
+CREATE TABLE t1(c INT);
+INSERT INTO t1 VALUES (),();
+CREATE TABLE t2 (b INT,
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b));
+INSERT INTO t2 VALUES (),(),();
+EXPLAIN SELECT 1 FROM
+(SELECT 1 FROM t2,t1 WHERE b < c GROUP BY 1 LIMIT 1) AS d2;
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+X	X	X	X	X	X	X	X	X	const row not found
+X	X	X	X	X	X	X	X	X	
+X	X	X	X	X	X	X	X	X	Range checked for each record (index map: 0xFFFFFFFFFF)
+DROP TABLE t2;
+DROP TABLE t1;