MDEV-31022 SIGSEGV in maria_create from create_internal_tmp_tablebb-11.0-MDEV-31022

keydef incorrectly allocated on the stack in create_internal_tmp_table()
author: Rex <rex.johnston@mariadb.com> 2023-04-18 06:33:00 +1100
committer: Rex <rex.johnston@mariadb.com> 2023-04-18 06:33:00 +1100
commit: 340731dcea512a3c08656a7b5e31e5a5976d6fcb (patch)
tree: 22cd127f62c5f989d4085a7d21297941f01091bc /sql/sql_select.cc
parent: 9c287c0a90fcb6637417bd118f62c78de78f75ee (diff)
download: mariadb-git-bb-11.0-MDEV-31022.tar.gz
1 files changed, 16 insertions, 7 deletions
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 26987c9072e..7219b18a745 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -21797,7 +21797,7 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
                                ulonglong options)
 {
   int error;
-  MARIA_KEYDEF keydef;
+  MARIA_KEYDEF *keydef= nullptr;
   MARIA_UNIQUEDEF uniquedef;
   TABLE_SHARE *share= table->s;
   MARIA_CREATE_INFO create_info;
@@ -21812,6 +21812,16 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
       goto err;
 
     bzero(seg, sizeof(*seg) * keyinfo->user_defined_key_parts);
+
+    keydef= (MARIA_KEYDEF*) alloc_root(&table->mem_root,
+                                       sizeof(*keydef) * share->keys);
+
+    if (!seg)
+      goto err;
+
+    bzero(keydef, sizeof(*keydef) * share->keys);
+
+
     /*
        Note that a similar check is performed during
        subquery_types_allow_materialization. See MDEV-7122 for more details as
@@ -21853,10 +21863,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
     else
     {
       /* Create a key */
-      bzero((char*) &keydef,sizeof(keydef));
-      keydef.flag= keyinfo->flags & HA_NOSAME;
-      keydef.keysegs=  keyinfo->user_defined_key_parts;
-      keydef.seg= seg;
+      keydef->flag= keyinfo->flags & HA_NOSAME;
+      keydef->keysegs=  keyinfo->user_defined_key_parts;
+      keydef->seg= seg;
     }
     for (uint i=0; i < keyinfo->user_defined_key_parts ; i++,seg++)
     {
@@ -21893,7 +21902,7 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
 	  on INSERT be regarded at the same value
 	*/
 	if (!using_unique_constraint)
-	  keydef.flag|= HA_NULL_ARE_EQUAL;
+	  keydef->flag|= HA_NULL_ARE_EQUAL;
       }
     }
     if (share->keys)
@@ -21943,7 +21952,7 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
     }
 
     if (unlikely((error= maria_create(share->path.str, file_type, share->keys,
-                                      &keydef, (uint) (*recinfo-start_recinfo),
+                                      keydef, (uint) (*recinfo-start_recinfo),
                                       start_recinfo, share->uniques, &uniquedef,
                                       &create_info, create_flags))))
     {
author	Rex <rex.johnston@mariadb.com>	2023-04-18 06:33:00 +1100
committer	Rex <rex.johnston@mariadb.com>	2023-04-18 06:33:00 +1100
commit	340731dcea512a3c08656a7b5e31e5a5976d6fcb (patch)
tree	22cd127f62c5f989d4085a7d21297941f01091bc /sql/sql_select.cc
parent	9c287c0a90fcb6637417bd118f62c78de78f75ee (diff)
download	mariadb-git-bb-11.0-MDEV-31022.tar.gz