Commit 0c9c76e9 authored by Neeraj Bisht's avatar Neeraj Bisht

BUG#16222245 - CRASH WITH EXPLAIN FOR A QUERY WITH LOOSE SCAN FOR

GROUP BY, MYISAM 

Problem:-
In a query, where we are using loose index scan optimization and 
we have MIN() causes segmentation fault(where table row length 
is less then key_length).

Analysis:

While using loose index scan for MIN(), we call key_copy(), to copy 
the key data from record.
This function is using temporary record buffer to store key data 
from the record buffer.But in case where the key length is greater 
then the buffer length, this will cause a segmentation fault.


Solution:
Give a proper buffer to store a key record.


sql/opt_range.cc:
  We can't use record buffer to store key data.So, give a proper buffer to store a key record.
parent 37e044c2
...@@ -10856,9 +10856,11 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min() ...@@ -10856,9 +10856,11 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min()
*/ */
if (min_max_arg_part && min_max_arg_part->field->is_null()) if (min_max_arg_part && min_max_arg_part->field->is_null())
{ {
uchar key_buf[MAX_KEY_LENGTH];
/* Find the first subsequent record without NULL in the MIN/MAX field. */ /* Find the first subsequent record without NULL in the MIN/MAX field. */
key_copy(tmp_record, record, index_info, 0); key_copy(key_buf, record, index_info, 0);
result= file->index_read_map(record, tmp_record, result= file->index_read_map(record, key_buf,
make_keypart_map(real_key_parts), make_keypart_map(real_key_parts),
HA_READ_AFTER_KEY); HA_READ_AFTER_KEY);
/* /*
...@@ -10874,7 +10876,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min() ...@@ -10874,7 +10876,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min()
if (!result) if (!result)
{ {
if (key_cmp(index_info->key_part, group_prefix, real_prefix_len)) if (key_cmp(index_info->key_part, group_prefix, real_prefix_len))
key_restore(record, tmp_record, index_info, 0); key_restore(record, key_buf, index_info, 0);
} }
else if (result == HA_ERR_KEY_NOT_FOUND || result == HA_ERR_END_OF_FILE) else if (result == HA_ERR_KEY_NOT_FOUND || result == HA_ERR_END_OF_FILE)
result= 0; /* There is a result in any case. */ result= 0; /* There is a result in any case. */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment