Commit ca8abf5a authored by Venkata Sidagam's avatar Venkata Sidagam

Bug#13556000: CHECK AND REPAIR TABLE SHOULD BE MORE ROBUST[2]

Problem description: Corrupt key file for the table. Size of the 
key is greater than the maximum specified size. This results in 
the overflow of the key buffer while reading the key from key 
file.

Fix: If size of key is greater than the maximum size it returns 
an error before writing it into the key buffer. Gives error as 
corrupt file but no stack overflow.
parent a9dc2bb8
...@@ -945,9 +945,7 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag, ...@@ -945,9 +945,7 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag,
("Found too long binary packed key: %u of %u at 0x%lx", ("Found too long binary packed key: %u of %u at 0x%lx",
length, keyinfo->maxlength, (long) *page_pos)); length, keyinfo->maxlength, (long) *page_pos));
DBUG_DUMP("key", *page_pos, 16); DBUG_DUMP("key", *page_pos, 16);
mi_print_error(keyinfo->share, HA_ERR_CRASHED); goto crashed; /* Wrong key */
my_errno=HA_ERR_CRASHED;
DBUG_RETURN(0); /* Wrong key */
} }
/* Key is packed against prev key, take prefix from prev key. */ /* Key is packed against prev key, take prefix from prev key. */
from= key; from= key;
...@@ -990,6 +988,8 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag, ...@@ -990,6 +988,8 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag,
if (from == from_end) { from=page; from_end=page_end; } if (from == from_end) { from=page; from_end=page_end; }
length+= (uint) ((*key++ = *from++)); length+= (uint) ((*key++ = *from++));
} }
if (length > keyseg->length)
goto crashed;
} }
else else
length=keyseg->length; length=keyseg->length;
...@@ -1029,15 +1029,18 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag, ...@@ -1029,15 +1029,18 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag,
if (from_end != page_end) if (from_end != page_end)
{ {
DBUG_PRINT("error",("Error when unpacking key")); DBUG_PRINT("error",("Error when unpacking key"));
mi_print_error(keyinfo->share, HA_ERR_CRASHED); goto crashed; /* Error */
my_errno=HA_ERR_CRASHED;
DBUG_RETURN(0); /* Error */
} }
/* Copy data pointer and, if appropriate, key block pointer. */ /* Copy data pointer and, if appropriate, key block pointer. */
memcpy((uchar*) key,(uchar*) from,(size_t) length); memcpy((uchar*) key,(uchar*) from,(size_t) length);
*page_pos= from+length; *page_pos= from+length;
} }
DBUG_RETURN((uint) (key-start_key)+keyseg->length); DBUG_RETURN((uint) (key-start_key)+keyseg->length);
crashed:
mi_print_error(keyinfo->share, HA_ERR_CRASHED);
my_errno= HA_ERR_CRASHED;
DBUG_RETURN(0);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment