database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug #37044: Read overflow in opt_range.cc found during "make test"

Browse Source 
The code was using a special global buffer for the value of IS NULL ranges.
This was not always long enough to be copied by a regular memcpy. As a 
result read buffer overflows may occur.
Fixed by setting the null byte to 1 and setting the rest of the field disk image
to NULL with a bzero (instead of relying on the buffer and memcpy()).
This commit is contained in:
Georgi Kodinov
2009-08-24 15:28:03 +03:00
parent 8dba7d18b4
commit e4f8deb226
1 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
sql/opt_range.cc
View File

@ -8308,11 +8308,21 @@ get_constant_key_infix(KEY *index_info, SEL_ARG *index_range_tree,
return FALSE; return FALSE;
uint field_length= cur_part->store_length; uint field_length= cur_part->store_length;
if ((cur_range->maybe_null && if (cur_range->maybe_null &&
cur_range->min_value[0] && cur_range->max_value[0]) cur_range->min_value[0] && cur_range->max_value[0])
|| {
(memcmp(cur_range->min_value, cur_range->max_value, field_length) == 0)) /*
{ /* cur_range specifies 'IS NULL' or an equality condition. */ cur_range specifies 'IS NULL'. In this case the argument points to a "null value" (is_null_string)
that may not always be long enough for a direct memcpy to a field.
*/
DBUG_ASSERT (field_length > 0);
*key_ptr= 1;
bzero(key_ptr+1,field_length-1);
key_ptr+= field_length;
*key_infix_len+= field_length;
}
else if (memcmp(cur_range->min_value, cur_range->max_value, field_length) == 0)
{ /* cur_range specifies an equality condition. */
memcpy(key_ptr, cur_range->min_value, field_length); memcpy(key_ptr, cur_range->min_value, field_length);
key_ptr+= field_length; key_ptr+= field_length;
*key_infix_len+= field_length; *key_infix_len+= field_length;