diff options
| author | Rex <rex.johnston@mariadb.com> | 2023-04-18 06:33:00 +1100 |
|---|---|---|
| committer | Rex <rex.johnston@mariadb.com> | 2023-04-18 06:33:00 +1100 |
| commit | 340731dcea512a3c08656a7b5e31e5a5976d6fcb (patch) | |
| tree | 22cd127f62c5f989d4085a7d21297941f01091bc | |
| parent | 9c287c0a90fcb6637417bd118f62c78de78f75ee (diff) | |
| download | mariadb-git-bb-11.0-MDEV-31022.tar.gz | |
MDEV-31022 SIGSEGV in maria_create from create_internal_tmp_tablebb-11.0-MDEV-31022
keydef incorrectly allocated on the stack in create_internal_tmp_table()
| -rw-r--r-- | mysql-test/main/derived.result | 17 | ||||
| -rw-r--r-- | mysql-test/main/derived.test | 13 | ||||
| -rw-r--r-- | sql/sql_select.cc | 23 |
3 files changed, 46 insertions, 7 deletions
diff --git a/mysql-test/main/derived.result b/mysql-test/main/derived.result index 112a72a2bf6..85ae1ebdf89 100644 --- a/mysql-test/main/derived.result +++ b/mysql-test/main/derived.result @@ -1476,5 +1476,22 @@ a 2 drop table t1; # +# MDEV-SIGSEGV in maria_create from create_internal_tmp_table +# keydef incorrectly allocated on the stack in create_internal_tmp_table() +# +CREATE TABLE t (c CHAR(1) NULL) ENGINE=MyISAM; +INSERT INTO t (c) VALUES (1); +SET optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2; +Warnings: +Warning 1287 '@@big_tables' is deprecated and will be removed in a future release +SELECT * FROM t WHERE c IN ('',''); +c +SET sql_mode='', optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2; +Warnings: +Warning 1287 '@@big_tables' is deprecated and will be removed in a future release +SELECT * FROM t WHERE c IN ('',''); +c +DROP TABLE t; +# # End of 11.0 tests # diff --git a/mysql-test/main/derived.test b/mysql-test/main/derived.test index e5f01e15821..3e6b3f2b194 100644 --- a/mysql-test/main/derived.test +++ b/mysql-test/main/derived.test @@ -1244,5 +1244,18 @@ SELECT a FROM t1 WHERE a IN ( 1, 1, 2, 194 ); drop table t1; --echo # +--echo # MDEV-SIGSEGV in maria_create from create_internal_tmp_table +--echo # keydef incorrectly allocated on the stack in create_internal_tmp_table() +--echo # + +CREATE TABLE t (c CHAR(1) NULL) ENGINE=MyISAM; +INSERT INTO t (c) VALUES (1); +SET optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2; +SELECT * FROM t WHERE c IN ('',''); +SET sql_mode='', optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2; +SELECT * FROM t WHERE c IN ('',''); +DROP TABLE t; + +--echo # --echo # End of 11.0 tests --echo # diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 26987c9072e..7219b18a745 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -21797,7 +21797,7 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, ulonglong options) { int error; - MARIA_KEYDEF keydef; + MARIA_KEYDEF *keydef= nullptr; MARIA_UNIQUEDEF uniquedef; TABLE_SHARE *share= table->s; MARIA_CREATE_INFO create_info; @@ -21812,6 +21812,16 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, goto err; bzero(seg, sizeof(*seg) * keyinfo->user_defined_key_parts); + + keydef= (MARIA_KEYDEF*) alloc_root(&table->mem_root, + sizeof(*keydef) * share->keys); + + if (!seg) + goto err; + + bzero(keydef, sizeof(*keydef) * share->keys); + + /* Note that a similar check is performed during subquery_types_allow_materialization. See MDEV-7122 for more details as @@ -21853,10 +21863,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, else { /* Create a key */ - bzero((char*) &keydef,sizeof(keydef)); - keydef.flag= keyinfo->flags & HA_NOSAME; - keydef.keysegs= keyinfo->user_defined_key_parts; - keydef.seg= seg; + keydef->flag= keyinfo->flags & HA_NOSAME; + keydef->keysegs= keyinfo->user_defined_key_parts; + keydef->seg= seg; } for (uint i=0; i < keyinfo->user_defined_key_parts ; i++,seg++) { @@ -21893,7 +21902,7 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, on INSERT be regarded at the same value */ if (!using_unique_constraint) - keydef.flag|= HA_NULL_ARE_EQUAL; + keydef->flag|= HA_NULL_ARE_EQUAL; } } if (share->keys) @@ -21943,7 +21952,7 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo, } if (unlikely((error= maria_create(share->path.str, file_type, share->keys, - &keydef, (uint) (*recinfo-start_recinfo), + keydef, (uint) (*recinfo-start_recinfo), start_recinfo, share->uniques, &uniquedef, &create_info, create_flags)))) { |