database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-24033: SIGSEGV in __memcmp_avx2_movbe from queue_insert | SIGSEGV in __memcmp_avx2_movbe from native_compare

Browse Source 
The issue here was the system variable max_sort_length was being applied
to decimals and it was truncating the value for decimals to the number
of bytes set by max_sort_length.
This was leading to a buffer overflow as the values were written
to the buffer without truncation and then we moved the offset to
the number of bytes(set by max_sort_length), that are needed for comparison.

The fix is to not apply max_sort_length for fixed size types like INT,
DECIMALS and only apply max_sort_length for CHAR, VARCHARS, TEXT and
BLOBS.
This commit is contained in:
Varun Gupta
2020-10-30 14:56:57 +05:30
committed by Marko Mäkelä
parent 5482d62760
commit 5a0c34e4c2
6 changed files with 61 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sql/sql_class.h
View File

@ -5449,6 +5449,8 @@ struct SORT_FIELD_ATTR
{
uint length; /* Length of sort field */
uint suffix_length; /* Length suffix (0-4) */
enum Type { FIXED_SIZE, VARIABLE_SIZE } type;
bool is_variable_sized() { return type == VARIABLE_SIZE; }
};