Fix for Lbug:#686010 maria.optimize corrupts stack around alloca() call

storage/maria/ma_check.c: Allocate also memory for nodflag and transid's storage/maria/ma_write.c: Allow nodflag and transid as part of key. (This has nothing to do with the bug report, but it's a safer check). storage/maria/maria_def.h: Define MARIA_MAX_POINTER_LENGTH (length of pointer to node) Added node pointer length to MARIA_INDEX_OVERHEAD_SIZE, as this is part of the key. (Safety fix)
author: Michael Widenius <monty@askmonty.org> 2010-12-10 17:15:18 +0200
committer: Michael Widenius <monty@askmonty.org> 2010-12-10 17:15:18 +0200
commit: bd2034dbee16bc90217d44df5059d837d60a6110 (patch)
tree: 47965e2c9018f614f74b020c7b0b7df4c0b2aa43
parent: 84edaac4f14b2fbaf57fef8fbaeb45966b1feda3 (diff)
download: mariadb-git-bd2034dbee16bc90217d44df5059d837d60a6110.tar.gz
3 files changed, 7 insertions, 6 deletions
diff --git a/storage/maria/ma_check.c b/storage/maria/ma_check.c
index fcf01385e97..1cb14567804 100644
--- a/storage/maria/ma_check.c
+++ b/storage/maria/ma_check.c
@@ -3133,7 +3133,8 @@ static int sort_one_index(HA_CHECK *param, MARIA_HA *info,
   key.keyinfo= keyinfo;
 
   if (!(buff= (uchar*) my_alloca((uint) keyinfo->block_length +
-                                 keyinfo->maxlength)))
+                                 keyinfo->maxlength +
+                                 MARIA_INDEX_OVERHEAD_SIZE)))
   {
     _ma_check_print_error(param,"Not enough memory for key block");
     DBUG_RETURN(-1);
diff --git a/storage/maria/ma_write.c b/storage/maria/ma_write.c
index 02eeec754ee..49f86fe291b 100644
--- a/storage/maria/ma_write.c
+++ b/storage/maria/ma_write.c
@@ -22,8 +22,6 @@
 #include "ma_key_recover.h"
 #include "ma_blockrec.h"
 
-#define MAX_POINTER_LENGTH 8
-
 	/* Functions declared in this file */
 
 static int w_search(MARIA_HA *info, uint32 comp_flag,
@@ -802,7 +800,7 @@ int _ma_insert(register MARIA_HA *info, MARIA_KEY *key,
 #endif
   if (t_length > 0)
   {
-    if (t_length >= keyinfo->maxlength*2+MAX_POINTER_LENGTH)
+    if (t_length >= keyinfo->maxlength*2+MARIA_INDEX_OVERHEAD_SIZE)
     {
       my_errno=HA_ERR_CRASHED;
       DBUG_RETURN(-1);
@@ -811,7 +809,7 @@ int _ma_insert(register MARIA_HA *info, MARIA_KEY *key,
   }
   else
   {
-    if (-t_length >= keyinfo->maxlength*2+MAX_POINTER_LENGTH)
+    if (-t_length >= keyinfo->maxlength*2+MARIA_INDEX_OVERHEAD_SIZE)
     {
       my_errno=HA_ERR_CRASHED;
       DBUG_RETURN(-1);
diff --git a/storage/maria/maria_def.h b/storage/maria/maria_def.h
index b998ac4f3a0..85696d04858 100644
--- a/storage/maria/maria_def.h
+++ b/storage/maria/maria_def.h
@@ -152,11 +152,13 @@ typedef struct st_maria_state_info
 #define MARIA_COLUMNDEF_SIZE	(2*7+1+1+4)
 #define MARIA_BASE_INFO_SIZE	(MY_UUID_SIZE + 5*8 + 6*4 + 11*2 + 6 + 5*2 + 1 + 16)
 #define MARIA_INDEX_BLOCK_MARGIN 16	/* Safety margin for .MYI tables */
+#define MARIA_MAX_POINTER_LENGTH 7	/* Node pointer */
 /* Internal management bytes needed to store 2 transid/key on an index page */
 #define MARIA_MAX_PACK_TRANSID_SIZE   (TRANSID_SIZE+1)
 #define MARIA_TRANSID_PACK_OFFSET     (256- TRANSID_SIZE - 1)
 #define MARIA_MIN_TRANSID_PACK_OFFSET (MARIA_TRANSID_PACK_OFFSET-TRANSID_SIZE)
-#define MARIA_INDEX_OVERHEAD_SIZE     (MARIA_MAX_PACK_TRANSID_SIZE * 2)
+#define MARIA_INDEX_OVERHEAD_SIZE     (MARIA_MAX_PACK_TRANSID_SIZE * 2 + \
+                                       MARIA_MAX_POINTER_LENGTH)
 #define MARIA_DELETE_KEY_NR  255	/* keynr for deleted blocks */
 
 /*
author	Michael Widenius <monty@askmonty.org>	2010-12-10 17:15:18 +0200
committer	Michael Widenius <monty@askmonty.org>	2010-12-10 17:15:18 +0200
commit	bd2034dbee16bc90217d44df5059d837d60a6110 (patch)
tree	47965e2c9018f614f74b020c7b0b7df4c0b2aa43
parent	84edaac4f14b2fbaf57fef8fbaeb45966b1feda3 (diff)
download	mariadb-git-bd2034dbee16bc90217d44df5059d837d60a6110.tar.gz