• unknown's avatar
    BUG#21206: memory corruption when too many cursors are opened at once · 35945019
    unknown authored
    Too many cursors (more than 1024) could lead to memory corruption.
    This affects both, stored routines and C API cursors, and the
    threshold is per-server, not per-connection.  Similarly, the
    corruption could happen when the server was under heavy load
    (executing more than 1024 simultaneous complex queries), and this is
    the reason why this bug is fixed in 4.1, which doesn't support
    cursors.
    
    The corruption was caused by a bug in the temporary tables code, when
    an attempt to create a table could lead to a write beyond allocated
    space.  Note, that only internal tables were affected (the tables
    created internally by the server to resolve the query), not tables
    created with CREATE TEMPORARY TABLE.  Another pre-condition for the
    bug is TRUE value of --temp-pool startup option, which, however, is a
    default.
    
    The cause of a bug was that random memory was overwritten in
    bitmap_set_next() due to out-of-bound memory access.
    
    
    mysys/my_bitmap.c:
      Local 'bitmap_size' is measured in bytes, no need to multiply it by 8.
    sql/sql_select.cc:
      Clear the temp_pool_slot bit only if we have set it previously.
    35945019
sql_select.cc 295 KB