Commit 2dc982e0 authored by Sergey Glukhov's avatar Sergey Glukhov

Bug#41212 crash after race condition between merge table and table_cache evictions

On 64-bit Windows: querying MERGE table with keys may cause
server crash.The problem is generic and may affect any statement
accessing MERGE table cardinality values.
When MERGE engine was copying cardinality statistics, it was
using incorrect size of element in cardinality statistics array
(sizeof(ptr)==8 instead of sizeof(ulong)==4), causing access
of memory beyond of the allocated bounds.


sql/ha_myisam.cc:
  When copying rec_per_key array (an array of ulong) use proper
  size of element, that is sizeof(ulong).
sql/ha_myisammrg.cc:
  When copying rec_per_key array (an array of ulong) use proper
  size of element, that is sizeof(ulong).
sql/table.cc:
  When allocating rec_per_key array (an array of ulong) use proper
  size of element, that is sizeof(ulong).
parent a393195c
...@@ -1684,7 +1684,7 @@ int ha_myisam::info(uint flag) ...@@ -1684,7 +1684,7 @@ int ha_myisam::info(uint flag)
if (share->key_parts) if (share->key_parts)
memcpy((char*) table->key_info[0].rec_per_key, memcpy((char*) table->key_info[0].rec_per_key,
(char*) misam_info.rec_per_key, (char*) misam_info.rec_per_key,
sizeof(table->key_info[0].rec_per_key)*share->key_parts); sizeof(table->key_info[0].rec_per_key[0])*share->key_parts);
raid_type= misam_info.raid_type; raid_type= misam_info.raid_type;
raid_chunks= misam_info.raid_chunks; raid_chunks= misam_info.raid_chunks;
raid_chunksize= misam_info.raid_chunksize; raid_chunksize= misam_info.raid_chunksize;
......
...@@ -402,11 +402,11 @@ int ha_myisammrg::info(uint flag) ...@@ -402,11 +402,11 @@ int ha_myisammrg::info(uint flag)
with such a number, it'll be an error later anyway. with such a number, it'll be an error later anyway.
*/ */
bzero((char*) table->key_info[0].rec_per_key, bzero((char*) table->key_info[0].rec_per_key,
sizeof(table->key_info[0].rec_per_key) * table->s->key_parts); sizeof(table->key_info[0].rec_per_key[0]) * table->s->key_parts);
#endif #endif
memcpy((char*) table->key_info[0].rec_per_key, memcpy((char*) table->key_info[0].rec_per_key,
(char*) mrg_info.rec_per_key, (char*) mrg_info.rec_per_key,
sizeof(table->key_info[0].rec_per_key) * sizeof(table->key_info[0].rec_per_key[0]) *
min(file->keys, table->s->key_parts)); min(file->keys, table->s->key_parts));
} }
} }
......
...@@ -233,7 +233,7 @@ int openfrm(THD *thd, const char *name, const char *alias, uint db_stat, ...@@ -233,7 +233,7 @@ int openfrm(THD *thd, const char *name, const char *alias, uint db_stat,
ulong *rec_per_key; ulong *rec_per_key;
if (!(rec_per_key= (ulong*) alloc_root(&outparam->mem_root, if (!(rec_per_key= (ulong*) alloc_root(&outparam->mem_root,
sizeof(ulong*)*key_parts))) sizeof(ulong)*key_parts)))
goto err; goto err;
for (i=0 ; i < keys ; i++, keyinfo++) for (i=0 ; i < keys ; i++, keyinfo++)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment