BUG#13556441: CHECK AND REPAIR TABLE SHOULD BE MORE ROBUST [4]

Problem description: mysql server crashes when we run repair table on currupted table. Analysis: The problem with this bug seem to be key_reflength out of bounds (186 according to debugger). We read this value from meta-data segment of .MYI file while doing mi_open(). If you look into _mi_kpointer() you can see that the upper limit for key_reflength is 7. Solution: In mi_open() there is a line like: if (share->base.keystart > 65535 || share->base.rec_reflength > 8) we should verify key_reflength here as well.

BUG#13556441: CHECK AND REPAIR TABLE SHOULD BE MORE ROBUST [4]
Problem description: mysql server crashes when we run repair table on currupted table. Analysis: The problem with this bug seem to be key_reflength out of bounds (186 according to debugger). We read this value from meta-data segment of .MYI file while doing mi_open(). If you look into _mi_kpointer() you can see that the upper limit for key_reflength is 7. Solution: In mi_open() there is a line like: if (share->base.keystart > 65535 || share->base.rec_reflength > 8) we should verify key_reflength here as well.
02501a0f · Venkata Sidagam · 2919ca4e · 02501a0f
Commit 02501a0f authored Oct 31, 2012 by Venkata Sidagam
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

storage/myisam/mi_open.c storage/myisam/mi_open.c +2 -1

No files found.
--- a/storage/myisam/mi_open.c
+++ b/storage/myisam/mi_open.c
@@ -232,7 +232,8 @@ MI_INFO *mi_open(const char *name, int mode, uint open_flags)
    }

    /* sanity check */
-    if (share->base.keystart > 65535 || share->base.rec_reflength > 8)
+    if (share->base.keystart > 65535 || 
+        share->base.rec_reflength > 8 || share->base.key_reflength > 7) 
    {
      my_errno=HA_ERR_CRASHED;
      goto err;