diff options
author | Marko Mäkelä <marko.makela@mariadb.com> | 2019-05-08 12:18:52 +0300 |
---|---|---|
committer | Marko Mäkelä <marko.makela@mariadb.com> | 2019-05-10 07:57:01 +0300 |
commit | f92749ed36e02342abfc82d2c354c73e188ff718 (patch) | |
tree | 1b381faf00d3ec18131e2f69d1cdb96fdebcc0d1 | |
parent | 5b3f7c0c33e74426d5d22db1ac159ddead79cbc1 (diff) | |
download | mariadb-git-f92749ed36e02342abfc82d2c354c73e188ff718.tar.gz |
MDEV-18220: heap-use-after-free in fts_get_table_name_prefix()
fts_table_t::parent: Remove the redundant field. Refer to
table->name.m_name instead.
fts_update_sync_doc_id(), fts_update_next_doc_id(): Remove
the redundant parameter table_name.
fts_get_table_name_prefix(): Access the dict_table_t::name.
FIXME: Ensure that this access is always covered by
dict_sys->mutex.
-rw-r--r-- | storage/innobase/fts/fts0fts.cc | 16 | ||||
-rw-r--r-- | storage/innobase/fts/fts0opt.cc | 2 | ||||
-rw-r--r-- | storage/innobase/fts/fts0que.cc | 4 | ||||
-rw-r--r-- | storage/innobase/fts/fts0sql.cc | 16 | ||||
-rw-r--r-- | storage/innobase/include/fts0fts.h | 7 | ||||
-rw-r--r-- | storage/innobase/row/row0ftsort.cc | 1 | ||||
-rw-r--r-- | storage/innobase/row/row0merge.cc | 3 | ||||
-rw-r--r-- | storage/innobase/row/row0mysql.cc | 2 | ||||
-rw-r--r-- | storage/xtradb/fts/fts0fts.cc | 16 | ||||
-rw-r--r-- | storage/xtradb/fts/fts0opt.cc | 2 | ||||
-rw-r--r-- | storage/xtradb/fts/fts0que.cc | 4 | ||||
-rw-r--r-- | storage/xtradb/fts/fts0sql.cc | 16 | ||||
-rw-r--r-- | storage/xtradb/include/fts0fts.h | 7 | ||||
-rw-r--r-- | storage/xtradb/row/row0ftsort.cc | 1 | ||||
-rw-r--r-- | storage/xtradb/row/row0merge.cc | 3 | ||||
-rw-r--r-- | storage/xtradb/row/row0mysql.cc | 2 |
16 files changed, 28 insertions, 74 deletions
diff --git a/storage/innobase/fts/fts0fts.cc b/storage/innobase/fts/fts0fts.cc index 1ea3a8d2c60..9c90ec91ce7 100644 --- a/storage/innobase/fts/fts0fts.cc +++ b/storage/innobase/fts/fts0fts.cc @@ -334,7 +334,6 @@ dberr_t fts_update_sync_doc_id( /*===================*/ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id, /*!< in: last document id */ trx_t* trx) /*!< in: update trx, or NULL */ MY_ATTRIBUTE((nonnull(1))); @@ -2045,7 +2044,6 @@ fts_create_index_tables_low( fts_table.type = FTS_INDEX_TABLE; fts_table.index_id = index->id; fts_table.table_id = table_id; - fts_table.parent = table_name; fts_table.table = index->table; #ifdef FTS_DOC_STATS_DEBUG @@ -2632,7 +2630,6 @@ fts_update_next_doc_id( /*===================*/ trx_t* trx, /*!< in/out: transaction */ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id) /*!< in: DOC ID to set */ { table->fts->cache->synced_doc_id = doc_id; @@ -2641,7 +2638,7 @@ fts_update_next_doc_id( table->fts->cache->first_doc_id = table->fts->cache->next_doc_id; fts_update_sync_doc_id( - table, table_name, table->fts->cache->synced_doc_id, trx); + table, table->fts->cache->synced_doc_id, trx); } @@ -2712,8 +2709,6 @@ retry: fts_table.type = FTS_COMMON_TABLE; fts_table.table = table; - fts_table.parent = table->name; - trx = trx_allocate_for_background(); trx->op_info = "update the next FTS document id"; @@ -2770,7 +2765,7 @@ retry: if (doc_id_cmp > *doc_id) { error = fts_update_sync_doc_id( - table, table->name, cache->synced_doc_id, trx); + table, cache->synced_doc_id, trx); } *doc_id = cache->next_doc_id; @@ -2808,7 +2803,6 @@ dberr_t fts_update_sync_doc_id( /*===================*/ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id, /*!< in: last document id */ trx_t* trx) /*!< in: update trx, or NULL */ { @@ -2825,11 +2819,6 @@ fts_update_sync_doc_id( fts_table.table_id = table->id; fts_table.type = FTS_COMMON_TABLE; fts_table.table = table; - if (table_name) { - fts_table.parent = table_name; - } else { - fts_table.parent = table->name; - } if (!trx) { trx = trx_allocate_for_background(); @@ -6260,7 +6249,6 @@ fts_rename_one_aux_table_to_hex_format( ut_a(fts_table.suffix != NULL); - fts_table.parent = parent_table->name; fts_table.table_id = aux_table->parent_id; fts_table.index_id = aux_table->index_id; fts_table.table = parent_table; diff --git a/storage/innobase/fts/fts0opt.cc b/storage/innobase/fts/fts0opt.cc index 38906f47ccd..ad64f6d1d37 100644 --- a/storage/innobase/fts/fts0opt.cc +++ b/storage/innobase/fts/fts0opt.cc @@ -1603,12 +1603,10 @@ fts_optimize_create( optim->trx = trx_allocate_for_background(); - optim->fts_common_table.parent = table->name; optim->fts_common_table.table_id = table->id; optim->fts_common_table.type = FTS_COMMON_TABLE; optim->fts_common_table.table = table; - optim->fts_index_table.parent = table->name; optim->fts_index_table.table_id = table->id; optim->fts_index_table.type = FTS_INDEX_TABLE; optim->fts_index_table.table = table; diff --git a/storage/innobase/fts/fts0que.cc b/storage/innobase/fts/fts0que.cc index 7983181c23a..8cb0a4a341c 100644 --- a/storage/innobase/fts/fts0que.cc +++ b/storage/innobase/fts/fts0que.cc @@ -1,7 +1,7 @@ /***************************************************************************** Copyright (c) 2007, 2018, Oracle and/or its affiliates. All Rights Reserved. -Copyright (c) 2017, 2018, MariaDB Corporation. +Copyright (c) 2017, 2019, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software @@ -3870,7 +3870,6 @@ fts_query( query.fts_common_table.type = FTS_COMMON_TABLE; query.fts_common_table.table_id = index->table->id; - query.fts_common_table.parent = index->table->name; query.fts_common_table.table = index->table; charset = fts_index_get_charset(index); @@ -3878,7 +3877,6 @@ fts_query( query.fts_index_table.type = FTS_INDEX_TABLE; query.fts_index_table.index_id = index->id; query.fts_index_table.table_id = index->table->id; - query.fts_index_table.parent = index->table->name; query.fts_index_table.charset = charset; query.fts_index_table.table = index->table; diff --git a/storage/innobase/fts/fts0sql.cc b/storage/innobase/fts/fts0sql.cc index cb8eff3cacc..dcc1e4c97e9 100644 --- a/storage/innobase/fts/fts0sql.cc +++ b/storage/innobase/fts/fts0sql.cc @@ -1,6 +1,7 @@ /***************************************************************************** Copyright (c) 2007, 2013, Oracle and/or its affiliates. All Rights Reserved. +Copyright (c) 2019, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software @@ -112,13 +113,14 @@ fts_get_table_name_prefix( int prefix_name_len; char table_id[FTS_AUX_MIN_TABLE_ID_LENGTH]; +#if 0 /* FIXME: protect the access to dict_table_t::name */ + ut_ad(mutex_own(&dict_sys->mutex)); +#endif slash = static_cast<const char*>( - memchr(fts_table->parent, '/', strlen(fts_table->parent))); - - if (slash) { - /* Print up to and including the separator. */ - dbname_len = static_cast<int>(slash - fts_table->parent) + 1; - } + strchr(fts_table->table->name, '/')); + ut_ad(slash); + /* Print up to and including the separator. */ + dbname_len = static_cast<int>(slash - fts_table->table->name) + 1; len = fts_get_table_id(fts_table, table_id); @@ -127,7 +129,7 @@ fts_get_table_name_prefix( prefix_name = static_cast<char*>(mem_alloc(prefix_name_len)); len = sprintf(prefix_name, "%.*sFTS_%s", - dbname_len, fts_table->parent, table_id); + dbname_len, fts_table->table->name, table_id); ut_a(len > 0); ut_a(len == prefix_name_len - 1); diff --git a/storage/innobase/include/fts0fts.h b/storage/innobase/include/fts0fts.h index ce30a17c4b4..7265e42b0ab 100644 --- a/storage/innobase/include/fts0fts.h +++ b/storage/innobase/include/fts0fts.h @@ -151,7 +151,6 @@ do { \ (fts_table)->suffix = m_suffix; \ (fts_table)->type = m_type; \ (fts_table)->table_id = m_table->id; \ - (fts_table)->parent = m_table->name; \ (fts_table)->table = m_table; \ } while (0); @@ -160,7 +159,6 @@ do { \ (fts_table)->suffix = m_suffix; \ (fts_table)->type = m_type; \ (fts_table)->table_id = m_index->table->id; \ - (fts_table)->parent = m_index->table->name; \ (fts_table)->table = m_index->table; \ (fts_table)->index_id = m_index->id; \ } while (0); @@ -265,10 +263,6 @@ struct fts_result_t { table id and the index id to generate the column specific FTS auxiliary table name. */ struct fts_table_t { - const char* parent; /*!< Parent table name, this is - required only for the database - name */ - fts_table_type_t type; /*!< The auxiliary table type */ @@ -424,7 +418,6 @@ fts_update_next_doc_id( /*===================*/ trx_t* trx, /*!< in/out: transaction */ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id) /*!< in: DOC ID to set */ MY_ATTRIBUTE((nonnull(2))); diff --git a/storage/innobase/row/row0ftsort.cc b/storage/innobase/row/row0ftsort.cc index 6af93fb83fb..b5476cdfdbe 100644 --- a/storage/innobase/row/row0ftsort.cc +++ b/storage/innobase/row/row0ftsort.cc @@ -1500,7 +1500,6 @@ row_fts_merge_insert( ins_ctx.fts_table.type = FTS_INDEX_TABLE; ins_ctx.fts_table.index_id = index->id; ins_ctx.fts_table.table_id = table->id; - ins_ctx.fts_table.parent = index->table->name; ins_ctx.fts_table.table = index->table; space = table->space; diff --git a/storage/innobase/row/row0merge.cc b/storage/innobase/row/row0merge.cc index 4d836cebd6a..813194b1355 100644 --- a/storage/innobase/row/row0merge.cc +++ b/storage/innobase/row/row0merge.cc @@ -2070,8 +2070,7 @@ wait_again: false, true, false); if (err == DB_SUCCESS) { - fts_update_next_doc_id( - 0, new_table, old_table->name, max_doc_id); + fts_update_next_doc_id(NULL, new_table, max_doc_id); } } diff --git a/storage/innobase/row/row0mysql.cc b/storage/innobase/row/row0mysql.cc index 47e0368e787..e8d68b3c8fa 100644 --- a/storage/innobase/row/row0mysql.cc +++ b/storage/innobase/row/row0mysql.cc @@ -3831,7 +3831,7 @@ next_rec: os_thread_sleep(10000000);); table->fts->fts_status |= TABLE_DICT_LOCKED; - fts_update_next_doc_id(trx, table, NULL, 0); + fts_update_next_doc_id(trx, table, 0); fts_cache_clear(table->fts->cache); fts_cache_init(table->fts->cache); table->fts->fts_status &= ~TABLE_DICT_LOCKED; diff --git a/storage/xtradb/fts/fts0fts.cc b/storage/xtradb/fts/fts0fts.cc index 1ea3a8d2c60..9c90ec91ce7 100644 --- a/storage/xtradb/fts/fts0fts.cc +++ b/storage/xtradb/fts/fts0fts.cc @@ -334,7 +334,6 @@ dberr_t fts_update_sync_doc_id( /*===================*/ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id, /*!< in: last document id */ trx_t* trx) /*!< in: update trx, or NULL */ MY_ATTRIBUTE((nonnull(1))); @@ -2045,7 +2044,6 @@ fts_create_index_tables_low( fts_table.type = FTS_INDEX_TABLE; fts_table.index_id = index->id; fts_table.table_id = table_id; - fts_table.parent = table_name; fts_table.table = index->table; #ifdef FTS_DOC_STATS_DEBUG @@ -2632,7 +2630,6 @@ fts_update_next_doc_id( /*===================*/ trx_t* trx, /*!< in/out: transaction */ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id) /*!< in: DOC ID to set */ { table->fts->cache->synced_doc_id = doc_id; @@ -2641,7 +2638,7 @@ fts_update_next_doc_id( table->fts->cache->first_doc_id = table->fts->cache->next_doc_id; fts_update_sync_doc_id( - table, table_name, table->fts->cache->synced_doc_id, trx); + table, table->fts->cache->synced_doc_id, trx); } @@ -2712,8 +2709,6 @@ retry: fts_table.type = FTS_COMMON_TABLE; fts_table.table = table; - fts_table.parent = table->name; - trx = trx_allocate_for_background(); trx->op_info = "update the next FTS document id"; @@ -2770,7 +2765,7 @@ retry: if (doc_id_cmp > *doc_id) { error = fts_update_sync_doc_id( - table, table->name, cache->synced_doc_id, trx); + table, cache->synced_doc_id, trx); } *doc_id = cache->next_doc_id; @@ -2808,7 +2803,6 @@ dberr_t fts_update_sync_doc_id( /*===================*/ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id, /*!< in: last document id */ trx_t* trx) /*!< in: update trx, or NULL */ { @@ -2825,11 +2819,6 @@ fts_update_sync_doc_id( fts_table.table_id = table->id; fts_table.type = FTS_COMMON_TABLE; fts_table.table = table; - if (table_name) { - fts_table.parent = table_name; - } else { - fts_table.parent = table->name; - } if (!trx) { trx = trx_allocate_for_background(); @@ -6260,7 +6249,6 @@ fts_rename_one_aux_table_to_hex_format( ut_a(fts_table.suffix != NULL); - fts_table.parent = parent_table->name; fts_table.table_id = aux_table->parent_id; fts_table.index_id = aux_table->index_id; fts_table.table = parent_table; diff --git a/storage/xtradb/fts/fts0opt.cc b/storage/xtradb/fts/fts0opt.cc index 38906f47ccd..ad64f6d1d37 100644 --- a/storage/xtradb/fts/fts0opt.cc +++ b/storage/xtradb/fts/fts0opt.cc @@ -1603,12 +1603,10 @@ fts_optimize_create( optim->trx = trx_allocate_for_background(); - optim->fts_common_table.parent = table->name; optim->fts_common_table.table_id = table->id; optim->fts_common_table.type = FTS_COMMON_TABLE; optim->fts_common_table.table = table; - optim->fts_index_table.parent = table->name; optim->fts_index_table.table_id = table->id; optim->fts_index_table.type = FTS_INDEX_TABLE; optim->fts_index_table.table = table; diff --git a/storage/xtradb/fts/fts0que.cc b/storage/xtradb/fts/fts0que.cc index b9ad43c626a..fa91771a7b2 100644 --- a/storage/xtradb/fts/fts0que.cc +++ b/storage/xtradb/fts/fts0que.cc @@ -1,7 +1,7 @@ /***************************************************************************** Copyright (c) 2007, 2018, Oracle and/or its affiliates. All Rights Reserved. -Copyright (c) 2017, 2018, MariaDB Corporation. +Copyright (c) 2017, 2019, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software @@ -3891,7 +3891,6 @@ fts_query( query.fts_common_table.type = FTS_COMMON_TABLE; query.fts_common_table.table_id = index->table->id; - query.fts_common_table.parent = index->table->name; query.fts_common_table.table = index->table; charset = fts_index_get_charset(index); @@ -3899,7 +3898,6 @@ fts_query( query.fts_index_table.type = FTS_INDEX_TABLE; query.fts_index_table.index_id = index->id; query.fts_index_table.table_id = index->table->id; - query.fts_index_table.parent = index->table->name; query.fts_index_table.charset = charset; query.fts_index_table.table = index->table; diff --git a/storage/xtradb/fts/fts0sql.cc b/storage/xtradb/fts/fts0sql.cc index cb8eff3cacc..dcc1e4c97e9 100644 --- a/storage/xtradb/fts/fts0sql.cc +++ b/storage/xtradb/fts/fts0sql.cc @@ -1,6 +1,7 @@ /***************************************************************************** Copyright (c) 2007, 2013, Oracle and/or its affiliates. All Rights Reserved. +Copyright (c) 2019, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software @@ -112,13 +113,14 @@ fts_get_table_name_prefix( int prefix_name_len; char table_id[FTS_AUX_MIN_TABLE_ID_LENGTH]; +#if 0 /* FIXME: protect the access to dict_table_t::name */ + ut_ad(mutex_own(&dict_sys->mutex)); +#endif slash = static_cast<const char*>( - memchr(fts_table->parent, '/', strlen(fts_table->parent))); - - if (slash) { - /* Print up to and including the separator. */ - dbname_len = static_cast<int>(slash - fts_table->parent) + 1; - } + strchr(fts_table->table->name, '/')); + ut_ad(slash); + /* Print up to and including the separator. */ + dbname_len = static_cast<int>(slash - fts_table->table->name) + 1; len = fts_get_table_id(fts_table, table_id); @@ -127,7 +129,7 @@ fts_get_table_name_prefix( prefix_name = static_cast<char*>(mem_alloc(prefix_name_len)); len = sprintf(prefix_name, "%.*sFTS_%s", - dbname_len, fts_table->parent, table_id); + dbname_len, fts_table->table->name, table_id); ut_a(len > 0); ut_a(len == prefix_name_len - 1); diff --git a/storage/xtradb/include/fts0fts.h b/storage/xtradb/include/fts0fts.h index ce30a17c4b4..7265e42b0ab 100644 --- a/storage/xtradb/include/fts0fts.h +++ b/storage/xtradb/include/fts0fts.h @@ -151,7 +151,6 @@ do { \ (fts_table)->suffix = m_suffix; \ (fts_table)->type = m_type; \ (fts_table)->table_id = m_table->id; \ - (fts_table)->parent = m_table->name; \ (fts_table)->table = m_table; \ } while (0); @@ -160,7 +159,6 @@ do { \ (fts_table)->suffix = m_suffix; \ (fts_table)->type = m_type; \ (fts_table)->table_id = m_index->table->id; \ - (fts_table)->parent = m_index->table->name; \ (fts_table)->table = m_index->table; \ (fts_table)->index_id = m_index->id; \ } while (0); @@ -265,10 +263,6 @@ struct fts_result_t { table id and the index id to generate the column specific FTS auxiliary table name. */ struct fts_table_t { - const char* parent; /*!< Parent table name, this is - required only for the database - name */ - fts_table_type_t type; /*!< The auxiliary table type */ @@ -424,7 +418,6 @@ fts_update_next_doc_id( /*===================*/ trx_t* trx, /*!< in/out: transaction */ const dict_table_t* table, /*!< in: table */ - const char* table_name, /*!< in: table name, or NULL */ doc_id_t doc_id) /*!< in: DOC ID to set */ MY_ATTRIBUTE((nonnull(2))); diff --git a/storage/xtradb/row/row0ftsort.cc b/storage/xtradb/row/row0ftsort.cc index d3c8b9a80bd..6ae7827777a 100644 --- a/storage/xtradb/row/row0ftsort.cc +++ b/storage/xtradb/row/row0ftsort.cc @@ -1503,7 +1503,6 @@ row_fts_merge_insert( ins_ctx.fts_table.type = FTS_INDEX_TABLE; ins_ctx.fts_table.index_id = index->id; ins_ctx.fts_table.table_id = table->id; - ins_ctx.fts_table.parent = index->table->name; ins_ctx.fts_table.table = index->table; space = table->space; diff --git a/storage/xtradb/row/row0merge.cc b/storage/xtradb/row/row0merge.cc index 75d7397e7ee..2a8a0b06b11 100644 --- a/storage/xtradb/row/row0merge.cc +++ b/storage/xtradb/row/row0merge.cc @@ -2083,8 +2083,7 @@ wait_again: false, true, false); if (err == DB_SUCCESS) { - fts_update_next_doc_id( - 0, new_table, old_table->name, max_doc_id); + fts_update_next_doc_id(NULL, new_table, max_doc_id); } } diff --git a/storage/xtradb/row/row0mysql.cc b/storage/xtradb/row/row0mysql.cc index a21e32cb91e..6ee7f702b70 100644 --- a/storage/xtradb/row/row0mysql.cc +++ b/storage/xtradb/row/row0mysql.cc @@ -3841,7 +3841,7 @@ next_rec: os_thread_sleep(10000000);); table->fts->fts_status |= TABLE_DICT_LOCKED; - fts_update_next_doc_id(trx, table, NULL, 0); + fts_update_next_doc_id(trx, table, 0); fts_cache_clear(table->fts->cache); fts_cache_init(table->fts->cache); table->fts->fts_status &= ~TABLE_DICT_LOCKED; |