database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

MDEV-24033: SIGSEGV in __memcmp_avx2_movbe from queue_insert | SIGSEGV in __memcmp_avx2_movbe from native_compare

Browse Source 
The issue here was the system variable max_sort_length was being applied
to decimals and it was truncating the value for decimals to the number
of bytes set by max_sort_length.
This was leading to a buffer overflow as the values were written
to the buffer without truncation and then we moved the offset to
the number of bytes(set by max_sort_length), that are needed for comparison.

The fix is to not apply max_sort_length for fixed size types like INT,
DECIMALS and only apply max_sort_length for CHAR, VARCHARS, TEXT and
BLOBS.
This commit is contained in:
Varun Gupta
2020-10-30 14:56:57 +05:30
committed by Marko Mäkelä
parent 5482d62760
commit 5a0c34e4c2
6 changed files with 61 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
sql/sql_type.h
View File

@ -92,6 +92,7 @@ public:
virtual void sortlength(THD *thd,
const Type_std_attributes *item,
SORT_FIELD_ATTR *attr) const= 0;
virtual bool is_packable() const { return false; }
};
@ -169,6 +170,7 @@ public:
void sortlength(THD *thd,
const Type_std_attributes *item,
SORT_FIELD_ATTR *attr) const;
bool is_packable()const { return true; }
};