Fix for bug #32241: memory corruption due to large index map in 'Range

checked for each record'

The problem was in incorrectly calculated length of the buffer used to
store a hexadecimal representation of an index map in
select_describe(). This could result in buffer overrun and stack
corruption under some circumstances.

Fixed by correcting the calculation.


mysql-test/r/explain.result:
  Added a test case for bug #32241.
mysql-test/t/explain.test:
  Added a test case for bug #32241.
sql/sql_select.cc:
  Corrected the buffer length calculation. Count one hex digit as 4 bits,
  not 8.

1 files changed, 20 insertions, 0 deletions

diff --git a/mysql-test/r/explain.result b/mysql-test/r/explain.result
index 24ff44945bf..a4c8432d2a4 100644
--- a/mysql-test/r/explain.result
+++ b/mysql-test/r/explain.result
@@ -87,3 +87,23 @@ Warnings:
 Note	1003	select '1' AS `f1`,'1' AS `f2` from `test`.`t1` having 1
 drop view v1;
 drop table t1;
+CREATE TABLE t1(c INT);
+INSERT INTO t1 VALUES (),();
+CREATE TABLE t2 (b INT,
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b),
+KEY(b),KEY(b),KEY(b),KEY(b),KEY(b));
+INSERT INTO t2 VALUES (),(),();
+EXPLAIN SELECT 1 FROM
+(SELECT 1 FROM t2,t1 WHERE b < c GROUP BY 1 LIMIT 1) AS d2;
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+X	X	X	X	X	X	X	X	X	const row not found
+X	X	X	X	X	X	X	X	X	
+X	X	X	X	X	X	X	X	X	Range checked for each record (index map: 0xFFFFFFFFFF)
+DROP TABLE t2;
+DROP TABLE t1;