Commit c9a73aa2 authored by unknown's avatar unknown

Fix bug lp:993745

This is a backport of the fix for MySQL bug #13723054 in 5.6.

Original comment:
      The crash is caused by arbitrary memory area owerwriting in case of
      BLOB fields during attempt to copy BLOB field key image into record
      buffer(record buffer is too small to get BLOB key part image).
      note:
      QUICK_GROUP_MIN_MAX_SELECT can not work with BLOB fields
      because it uses record buffer as temporary buffer for key values
      however this case is filtered out by covering_keys() check
      in get_best_group_min_max() as BLOBs always require key length
      modificator in the key declaration and if the key has a BLOB
      then it can not be covered key.
      The fix is to use 'max_used_key_length' key length instead of 0.

Analysis:
Spcifically the crash in this bug was a result of the call to key_copy()
that copied the whole key, inlcuding the BLOB field which is not used
for index access. Copying the blob field overwrote memory as far as the
function parameter 'key_info'. As a result the contents of key_info was
all 0, which resulted in a crash when this key_info was accessed few
lines below in key_cmp().
parent 167ad4c4
...@@ -145,3 +145,16 @@ select count(*), min(7), max(7) from t2m, t1i; ...@@ -145,3 +145,16 @@ select count(*), min(7), max(7) from t2m, t1i;
count(*) min(7) max(7) count(*) min(7) max(7)
0 NULL NULL 0 NULL NULL
drop table t1m, t1i, t2m, t2i; drop table t1m, t1i, t2m, t2i;
#
# Bug#13723054 CRASH WITH MIN/MAX AFTER QUICK_GROUP_MIN_MAX_SELECT::NEXT_MIN
#
CREATE TABLE t1(a BLOB, b VARCHAR(255) CHARSET LATIN1, c INT,
KEY(b, c, a(765))) ENGINE=INNODB;
INSERT INTO t1(a, b, c) VALUES ('', 'a', 0), ('', 'a', null), ('', 'a', 0);
SELECT MIN(c) FROM t1 GROUP BY b;
MIN(c)
0
EXPLAIN SELECT MIN(c) FROM t1 GROUP BY b;
id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t1 range NULL b 263 NULL 4 Using index for group-by
DROP TABLE t1;
...@@ -83,3 +83,17 @@ explain select count(*), min(7), max(7) from t2m, t1i; ...@@ -83,3 +83,17 @@ explain select count(*), min(7), max(7) from t2m, t1i;
select count(*), min(7), max(7) from t2m, t1i; select count(*), min(7), max(7) from t2m, t1i;
drop table t1m, t1i, t2m, t2i; drop table t1m, t1i, t2m, t2i;
--echo #
--echo # Bug#13723054 CRASH WITH MIN/MAX AFTER QUICK_GROUP_MIN_MAX_SELECT::NEXT_MIN
--echo #
CREATE TABLE t1(a BLOB, b VARCHAR(255) CHARSET LATIN1, c INT,
KEY(b, c, a(765))) ENGINE=INNODB;
INSERT INTO t1(a, b, c) VALUES ('', 'a', 0), ('', 'a', null), ('', 'a', 0);
SELECT MIN(c) FROM t1 GROUP BY b;
EXPLAIN SELECT MIN(c) FROM t1 GROUP BY b;
DROP TABLE t1;
...@@ -10827,7 +10827,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min() ...@@ -10827,7 +10827,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min()
if (min_max_arg_part && min_max_arg_part->field->is_null()) if (min_max_arg_part && min_max_arg_part->field->is_null())
{ {
/* Find the first subsequent record without NULL in the MIN/MAX field. */ /* Find the first subsequent record without NULL in the MIN/MAX field. */
key_copy(tmp_record, record, index_info, 0); key_copy(tmp_record, record, index_info, max_used_key_length);
result= file->ha_index_read_map(record, tmp_record, result= file->ha_index_read_map(record, tmp_record,
make_keypart_map(real_key_parts), make_keypart_map(real_key_parts),
HA_READ_AFTER_KEY); HA_READ_AFTER_KEY);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment