From f54beb2dccb921296a4c0bec1aa45e5dd6e53a69 Mon Sep 17 00:00:00 2001
From: Sergey Glukhov <Sergey.Glukhov@sun.com>
Date: Wed, 27 May 2009 15:34:21 +0500
Subject: Bug#41212 crash after race condition between merge table and
 table_cache evictions On 64-bit Windows: querying MERGE table with keys may
 cause server crash.The problem is generic and may affect any statement
 accessing MERGE table cardinality values. When MERGE engine was copying
 cardinality statistics, it was using incorrect size of element in cardinality
 statistics array (sizeof(ptr)==8 instead of sizeof(ulong)==4), causing access
 of memory beyond of the allocated bounds.

sql/ha_myisam.cc:
  When copying rec_per_key array (an array of ulong) use proper
  size of element, that is sizeof(ulong).
sql/ha_myisammrg.cc:
  When copying rec_per_key array (an array of ulong) use proper
  size of element, that is sizeof(ulong).
sql/table.cc:
  When allocating rec_per_key array (an array of ulong) use proper
  size of element, that is sizeof(ulong).
---
 sql/table.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sql/table.cc')

diff --git a/sql/table.cc b/sql/table.cc
index c559b4bb7fd..55a9b50605d 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -233,7 +233,7 @@ int openfrm(THD *thd, const char *name, const char *alias, uint db_stat,
 
   ulong *rec_per_key;
   if (!(rec_per_key= (ulong*) alloc_root(&outparam->mem_root,
-					 sizeof(ulong*)*key_parts)))
+                                         sizeof(ulong)*key_parts)))
     goto err;
 
   for (i=0 ; i < keys ; i++, keyinfo++)
-- 
cgit v1.2.1