branches/zip: page_zip_decompress(): Implement a proper check if there

is an overlap between BLOB pointers and the modification log or the zlib stream. page_zip_decompress_clust_ext(): Remove the improper check. The d_stream->avail_in cannot be decremented here, because we do not know at this point if the record is deleted. No space is reserved for the BLOB pointers in deleted records. page_zip_decompress_clust(): Check for the overlap here, right before copying the BLOB pointers. page_zip_decompress_clust(): Also check that the target column is long enough, and return FALSE instead of ut_ad() failure.

branches/zip: page_zip_decompress(): Implement a proper check if there
is an overlap between BLOB pointers and the modification log or the zlib stream. page_zip_decompress_clust_ext(): Remove the improper check. The d_stream->avail_in cannot be decremented here, because we do not know at this point if the record is deleted. No space is reserved for the BLOB pointers in deleted records. page_zip_decompress_clust(): Check for the overlap here, right before copying the BLOB pointers. page_zip_decompress_clust(): Also check that the target column is long enough, and return FALSE instead of ut_ad() failure.
9e26020c · marko · 85f1c90d · 9e26020c
Commit 9e26020c authored Dec 13, 2007 by marko
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 13 deletions

page/page0zip.c page/page0zip.c +22 -13

No files found.
--- a/page/page0zip.c
+++ b/page/page0zip.c
@@ -2324,18 +2324,6 @@ page_zip_decompress_clust_ext(
 			ut_ad(d_stream->next_out == dst);
-			/* Reserve space for the data at
-			the end of the space reserved for
-			the compressed data and the
-			page modification log. */
-			if (UNIV_UNLIKELY
-			    (d_stream->avail_in
-			     <= BTR_EXTERN_FIELD_REF_SIZE)) {
-				/* out of space */
-				return(FALSE);
-			}
 			/* Clear the BLOB pointer in case
 			the record will be deleted and the
 			space will not be reused.  Note that
@@ -2595,7 +2583,14 @@ zlib_done:
 				continue;
 			}
 			dst = rec_get_nth_field(rec, offsets, i, &len);
-			ut_ad(len >= BTR_EXTERN_FIELD_REF_SIZE);
+			if (UNIV_UNLIKELY(len < BTR_EXTERN_FIELD_REF_SIZE)) {
+				page_zip_fail(("page_zip_decompress_clust:"
+					       " %lu < 20\n",
+					       (ulong) len));
+				return(FALSE);
+			}
 			dst += len - BTR_EXTERN_FIELD_REF_SIZE;
 			if (UNIV_LIKELY(exists)) {
@@ -2603,6 +2598,20 @@ zlib_done:
 				restore the BLOB pointer */
 				externs -= BTR_EXTERN_FIELD_REF_SIZE;
+				if (UNIV_UNLIKELY
+				    (externs < page_zip->data
+				     + page_zip->m_end)) {
+					page_zip_fail(("page_zip_"
+						       "decompress_clust: "
+						       "%p < %p + %lu\n",
+						       (const void*) externs,
+						       (const void*)
+						       page_zip->data,
+						       (ulong)
+						       page_zip->m_end));
+					return(FALSE);
+				}
 				memcpy(dst, externs,
 				       BTR_EXTERN_FIELD_REF_SIZE);