Commit 4e9b1487 authored by unknown's avatar unknown

Fixed bug#16752 Binary table files created in mysqld v4.1 caused buffer overrun

  and possibly server crash in mysqld v5.0.

Reported MyISAM table was created in mysqld 4.1 and contains varchar field.
When binary files of that table was moved to 5.0, mysqld treats that varchar 
field as a string field. 
In order to make grouping server calculates group buffer, and because
that field is string server assumes it has fixed length and doesn't add
space for length, but later that field is converted to varchar field. 
Due to this, when field values were actually copied, additional space for
length bytes is taken and buffer overrun occurs, which may lead to server crash.

The calc_group_buffer() function now reserves additional space for length
bytes for VAR_STRING fields, like for VARCHAR fields.


sql/sql_select.cc:
  Fixed bug#16752 Binary table files created in mysqld v4.1 caused buffer overrun and possibly server crash in mysqld v5.0.
  The calc_group_buffer() function now reserves additional space for length
  bytes for VAR_STRING fields, like for VARCHAR fields.
parent 86733db8
...@@ -12717,11 +12717,12 @@ calc_group_buffer(JOIN *join,ORDER *group) ...@@ -12717,11 +12717,12 @@ calc_group_buffer(JOIN *join,ORDER *group)
Field *field= group_item->get_tmp_table_field(); Field *field= group_item->get_tmp_table_field();
if (field) if (field)
{ {
if (field->type() == FIELD_TYPE_BLOB) enum_field_types type;
if ((type= field->type()) == FIELD_TYPE_BLOB)
key_length+=MAX_BLOB_WIDTH; // Can't be used as a key key_length+=MAX_BLOB_WIDTH; // Can't be used as a key
else if (field->type() == MYSQL_TYPE_VARCHAR) else if (type == MYSQL_TYPE_VARCHAR || type == MYSQL_TYPE_VAR_STRING)
key_length+= field->field_length + HA_KEY_BLOB_LENGTH; key_length+= field->field_length + HA_KEY_BLOB_LENGTH;
else if (field->type() == FIELD_TYPE_BIT) else if (type == FIELD_TYPE_BIT)
{ {
/* Bit is usually stored as a longlong key for group fields */ /* Bit is usually stored as a longlong key for group fields */
key_length+= 8; // Big enough key_length+= 8; // Big enough
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment