Bug#27799513: POTENTIAL DOUBLE FREE OR CORRUPTION OF HEAP

INFO (HP_INFO) Description:- Server crashes due to memory overflow. Analysis:- Bytes for storing key length is wrongly set for HEAP tables. Fix:- Bytes used to store the key length is properly set inside "heap_create()".
author: Arun Kuruvila <arun.kuruvila@oracle.com> 2018-06-29 12:09:18 +0530
committer: Arun Kuruvila <arun.kuruvila@oracle.com> 2018-06-29 12:09:18 +0530
commit: 22e99fcb34712e710c6fe086d44e3643479f9e76 (patch)
tree: eb754e2de794244f2917d0e6abac8d47c5d38663 /storage/heap
parent: e1fdeb2468f3ee16e34e0c3af856edde128836e5 (diff)
download: mariadb-git-22e99fcb34712e710c6fe086d44e3643479f9e76.tar.gz
1 files changed, 17 insertions, 3 deletions
diff --git a/storage/heap/hp_create.c b/storage/heap/hp_create.c
index 93928cd479e..d32a69dd630 100644
--- a/storage/heap/hp_create.c
+++ b/storage/heap/hp_create.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -92,7 +92,14 @@ int heap_create(const char *name, HP_CREATE_INFO *create_info,
           /* fall_through */
         case HA_KEYTYPE_VARTEXT1:
           keyinfo->flag|= HA_VAR_LENGTH_KEY;
-          length+= 2;
+          /*
+            For BTREE algorithm, key length, greater than or equal
+            to 255, is packed on 3 bytes.
+          */
+          if (keyinfo->algorithm == HA_KEY_ALG_BTREE)
+            length+= size_to_store_key_length(keyinfo->seg[j].length);
+          else
+            length+= 2;
           /* Save number of bytes used to store length */
           keyinfo->seg[j].bit_start= 1;
           break;
@@ -101,7 +108,14 @@ int heap_create(const char *name, HP_CREATE_INFO *create_info,
           /* fall_through */
         case HA_KEYTYPE_VARTEXT2:
           keyinfo->flag|= HA_VAR_LENGTH_KEY;
-          length+= 2;
+          /*
+            For BTREE algorithm, key length, greater than or equal
+            to 255, is packed on 3 bytes.
+          */
+          if (keyinfo->algorithm == HA_KEY_ALG_BTREE)
+            length+= size_to_store_key_length(keyinfo->seg[j].length);
+          else
+            length+= 2;
           /* Save number of bytes used to store length */
           keyinfo->seg[j].bit_start= 2;
           /*
author	Arun Kuruvila <arun.kuruvila@oracle.com>	2018-06-29 12:09:18 +0530
committer	Arun Kuruvila <arun.kuruvila@oracle.com>	2018-06-29 12:09:18 +0530
commit	22e99fcb34712e710c6fe086d44e3643479f9e76 (patch)
tree	eb754e2de794244f2917d0e6abac8d47c5d38663 /storage/heap
parent	e1fdeb2468f3ee16e34e0c3af856edde128836e5 (diff)
download	mariadb-git-22e99fcb34712e710c6fe086d44e3643479f9e76.tar.gz