Commit 22e99fcb authored by Arun Kuruvila's avatar Arun Kuruvila

Bug#27799513: POTENTIAL DOUBLE FREE OR CORRUPTION OF HEAP

              INFO (HP_INFO)

Description:- Server crashes due to memory overflow.

Analysis:- Bytes for storing key length is wrongly set
for HEAP tables.

Fix:- Bytes used to store the key length is properly set
inside "heap_create()".
parent e1fdeb24
/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -92,7 +92,14 @@ int heap_create(const char *name, HP_CREATE_INFO *create_info,
/* fall_through */
case HA_KEYTYPE_VARTEXT1:
keyinfo->flag|= HA_VAR_LENGTH_KEY;
length+= 2;
/*
For BTREE algorithm, key length, greater than or equal
to 255, is packed on 3 bytes.
*/
if (keyinfo->algorithm == HA_KEY_ALG_BTREE)
length+= size_to_store_key_length(keyinfo->seg[j].length);
else
length+= 2;
/* Save number of bytes used to store length */
keyinfo->seg[j].bit_start= 1;
break;
......@@ -101,7 +108,14 @@ int heap_create(const char *name, HP_CREATE_INFO *create_info,
/* fall_through */
case HA_KEYTYPE_VARTEXT2:
keyinfo->flag|= HA_VAR_LENGTH_KEY;
length+= 2;
/*
For BTREE algorithm, key length, greater than or equal
to 255, is packed on 3 bytes.
*/
if (keyinfo->algorithm == HA_KEY_ALG_BTREE)
length+= size_to_store_key_length(keyinfo->seg[j].length);
else
length+= 2;
/* Save number of bytes used to store length */
keyinfo->seg[j].bit_start= 2;
/*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment