Fixed LP bug #663840.

When adding a new record into the join buffer that is employed by BNLH join algorithm the writing procedure JOIN_CACHE::write_record_data checks whether there is enough space for the record in the buffer. When doing this it must take into account a possible new key entry added to the buffer. It might happen, as it has been demonstrated by the bug test case, that there is enough remaining space in the buffer for the record, but not for the additional key entry for this record. In this case the key entry overwrites the end of the record that might cause a crash or wrong results. Fixed by taking into account a possible addition of new key entry when estimating the remaining free space in the buffer.
2025-08-07 00:04:31 +03:00 · 2010-10-22 10:53:29 -07:00
parent ac58b4b7e0
commit ca862231f7
4 changed files with 166 additions and 16 deletions
--- a/sql/sql_join_cache.cc
+++ b/sql/sql_join_cache.cc
@@ -1164,7 +1164,7 @@ uint JOIN_CACHE::write_record_data(uchar * link, bool *is_full)
 
  records++;  /* Increment the counter of records in the cache */

-  len= pack_length;
+  len= pack_length + extra_key_length();

  /* Make an adjustment for the size of the auxiliary buffer if there is any */
  uint incr= aux_buffer_incr(records);
@@ -2723,6 +2723,7 @@ bool JOIN_CACHE_HASHED::put_record()
      memcpy(cp, key, key_len);
    }
    last_key_entry= cp;
+    DBUG_ASSERT(last_key_entry >= end_pos);
    /* Increment the counter of key_entries in the hash table */ 
    key_entries++;
  }