MDEV-22818 Server crash on corrupted ROW_FORMAT=COMPRESSED page

page_zip_fields_decode(): Do not dereference index=NULL. Instead, return NULL early. The only caller does not care about the values of output parameters in that case. This bug was introduced in MySQL 5.7.6 by mysql/mysql-server@9eae0edb7a8e4004328e61157f5f3b39cebe1b2b and in MariaDB 10.2.2 by commit 2e814d47. Thanks to my son for pointing this out after investigating the output of a static analysis tool.

MDEV-22818 Server crash on corrupted ROW_FORMAT=COMPRESSED page
page_zip_fields_decode(): Do not dereference index=NULL. Instead, return NULL early. The only caller does not care about the values of output parameters in that case. This bug was introduced in MySQL 5.7.6 by mysql/mysql-server@9eae0edb7a8e4004328e61157f5f3b39cebe1b2b and in MariaDB 10.2.2 by commit 2e814d47. Thanks to my son for pointing this out after investigating the output of a static analysis tool.
1bd5b75c · Marko Mäkelä · 7a695d8a · 1bd5b75c
Commit 1bd5b75c authored Jun 06, 2020 by Marko Mäkelä
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

storage/innobase/page/page0zip.cc storage/innobase/page/page0zip.cc +3 -3

No files found.
--- a/storage/innobase/page/page0zip.cc
+++ b/storage/innobase/page/page0zip.cc
@@ -1756,8 +1756,9 @@ page_zip_fields_decode(
 		if (!val) {
 			val = ULINT_UNDEFINED;
 		} else if (UNIV_UNLIKELY(val >= n)) {
+fail:
 			page_zip_fields_free(index);
-			index = NULL;
+			return NULL;
 		} else {
 			index->type = DICT_CLUSTERED;
 		}
@@ -1766,8 +1767,7 @@ page_zip_fields_decode(
 	} else {
 		/* Decode the number of nullable fields. */
 		if (UNIV_UNLIKELY(index->n_nullable > val)) {
-			page_zip_fields_free(index);
+			goto fail;
-			index = NULL;
 		} else {
 			index->n_nullable = unsigned(val);
 		}