summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarko Mäkelä <marko.makela@mariadb.com>2019-05-08 12:18:52 +0300
committerMarko Mäkelä <marko.makela@mariadb.com>2019-05-10 07:57:01 +0300
commitf92749ed36e02342abfc82d2c354c73e188ff718 (patch)
tree1b381faf00d3ec18131e2f69d1cdb96fdebcc0d1
parent5b3f7c0c33e74426d5d22db1ac159ddead79cbc1 (diff)
downloadmariadb-git-f92749ed36e02342abfc82d2c354c73e188ff718.tar.gz
MDEV-18220: heap-use-after-free in fts_get_table_name_prefix()
fts_table_t::parent: Remove the redundant field. Refer to table->name.m_name instead. fts_update_sync_doc_id(), fts_update_next_doc_id(): Remove the redundant parameter table_name. fts_get_table_name_prefix(): Access the dict_table_t::name. FIXME: Ensure that this access is always covered by dict_sys->mutex.
-rw-r--r--storage/innobase/fts/fts0fts.cc16
-rw-r--r--storage/innobase/fts/fts0opt.cc2
-rw-r--r--storage/innobase/fts/fts0que.cc4
-rw-r--r--storage/innobase/fts/fts0sql.cc16
-rw-r--r--storage/innobase/include/fts0fts.h7
-rw-r--r--storage/innobase/row/row0ftsort.cc1
-rw-r--r--storage/innobase/row/row0merge.cc3
-rw-r--r--storage/innobase/row/row0mysql.cc2
-rw-r--r--storage/xtradb/fts/fts0fts.cc16
-rw-r--r--storage/xtradb/fts/fts0opt.cc2
-rw-r--r--storage/xtradb/fts/fts0que.cc4
-rw-r--r--storage/xtradb/fts/fts0sql.cc16
-rw-r--r--storage/xtradb/include/fts0fts.h7
-rw-r--r--storage/xtradb/row/row0ftsort.cc1
-rw-r--r--storage/xtradb/row/row0merge.cc3
-rw-r--r--storage/xtradb/row/row0mysql.cc2
16 files changed, 28 insertions, 74 deletions
diff --git a/storage/innobase/fts/fts0fts.cc b/storage/innobase/fts/fts0fts.cc
index 1ea3a8d2c60..9c90ec91ce7 100644
--- a/storage/innobase/fts/fts0fts.cc
+++ b/storage/innobase/fts/fts0fts.cc
@@ -334,7 +334,6 @@ dberr_t
fts_update_sync_doc_id(
/*===================*/
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id, /*!< in: last document id */
trx_t* trx) /*!< in: update trx, or NULL */
MY_ATTRIBUTE((nonnull(1)));
@@ -2045,7 +2044,6 @@ fts_create_index_tables_low(
fts_table.type = FTS_INDEX_TABLE;
fts_table.index_id = index->id;
fts_table.table_id = table_id;
- fts_table.parent = table_name;
fts_table.table = index->table;
#ifdef FTS_DOC_STATS_DEBUG
@@ -2632,7 +2630,6 @@ fts_update_next_doc_id(
/*===================*/
trx_t* trx, /*!< in/out: transaction */
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id) /*!< in: DOC ID to set */
{
table->fts->cache->synced_doc_id = doc_id;
@@ -2641,7 +2638,7 @@ fts_update_next_doc_id(
table->fts->cache->first_doc_id = table->fts->cache->next_doc_id;
fts_update_sync_doc_id(
- table, table_name, table->fts->cache->synced_doc_id, trx);
+ table, table->fts->cache->synced_doc_id, trx);
}
@@ -2712,8 +2709,6 @@ retry:
fts_table.type = FTS_COMMON_TABLE;
fts_table.table = table;
- fts_table.parent = table->name;
-
trx = trx_allocate_for_background();
trx->op_info = "update the next FTS document id";
@@ -2770,7 +2765,7 @@ retry:
if (doc_id_cmp > *doc_id) {
error = fts_update_sync_doc_id(
- table, table->name, cache->synced_doc_id, trx);
+ table, cache->synced_doc_id, trx);
}
*doc_id = cache->next_doc_id;
@@ -2808,7 +2803,6 @@ dberr_t
fts_update_sync_doc_id(
/*===================*/
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id, /*!< in: last document id */
trx_t* trx) /*!< in: update trx, or NULL */
{
@@ -2825,11 +2819,6 @@ fts_update_sync_doc_id(
fts_table.table_id = table->id;
fts_table.type = FTS_COMMON_TABLE;
fts_table.table = table;
- if (table_name) {
- fts_table.parent = table_name;
- } else {
- fts_table.parent = table->name;
- }
if (!trx) {
trx = trx_allocate_for_background();
@@ -6260,7 +6249,6 @@ fts_rename_one_aux_table_to_hex_format(
ut_a(fts_table.suffix != NULL);
- fts_table.parent = parent_table->name;
fts_table.table_id = aux_table->parent_id;
fts_table.index_id = aux_table->index_id;
fts_table.table = parent_table;
diff --git a/storage/innobase/fts/fts0opt.cc b/storage/innobase/fts/fts0opt.cc
index 38906f47ccd..ad64f6d1d37 100644
--- a/storage/innobase/fts/fts0opt.cc
+++ b/storage/innobase/fts/fts0opt.cc
@@ -1603,12 +1603,10 @@ fts_optimize_create(
optim->trx = trx_allocate_for_background();
- optim->fts_common_table.parent = table->name;
optim->fts_common_table.table_id = table->id;
optim->fts_common_table.type = FTS_COMMON_TABLE;
optim->fts_common_table.table = table;
- optim->fts_index_table.parent = table->name;
optim->fts_index_table.table_id = table->id;
optim->fts_index_table.type = FTS_INDEX_TABLE;
optim->fts_index_table.table = table;
diff --git a/storage/innobase/fts/fts0que.cc b/storage/innobase/fts/fts0que.cc
index 7983181c23a..8cb0a4a341c 100644
--- a/storage/innobase/fts/fts0que.cc
+++ b/storage/innobase/fts/fts0que.cc
@@ -1,7 +1,7 @@
/*****************************************************************************
Copyright (c) 2007, 2018, Oracle and/or its affiliates. All Rights Reserved.
-Copyright (c) 2017, 2018, MariaDB Corporation.
+Copyright (c) 2017, 2019, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
@@ -3870,7 +3870,6 @@ fts_query(
query.fts_common_table.type = FTS_COMMON_TABLE;
query.fts_common_table.table_id = index->table->id;
- query.fts_common_table.parent = index->table->name;
query.fts_common_table.table = index->table;
charset = fts_index_get_charset(index);
@@ -3878,7 +3877,6 @@ fts_query(
query.fts_index_table.type = FTS_INDEX_TABLE;
query.fts_index_table.index_id = index->id;
query.fts_index_table.table_id = index->table->id;
- query.fts_index_table.parent = index->table->name;
query.fts_index_table.charset = charset;
query.fts_index_table.table = index->table;
diff --git a/storage/innobase/fts/fts0sql.cc b/storage/innobase/fts/fts0sql.cc
index cb8eff3cacc..dcc1e4c97e9 100644
--- a/storage/innobase/fts/fts0sql.cc
+++ b/storage/innobase/fts/fts0sql.cc
@@ -1,6 +1,7 @@
/*****************************************************************************
Copyright (c) 2007, 2013, Oracle and/or its affiliates. All Rights Reserved.
+Copyright (c) 2019, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
@@ -112,13 +113,14 @@ fts_get_table_name_prefix(
int prefix_name_len;
char table_id[FTS_AUX_MIN_TABLE_ID_LENGTH];
+#if 0 /* FIXME: protect the access to dict_table_t::name */
+ ut_ad(mutex_own(&dict_sys->mutex));
+#endif
slash = static_cast<const char*>(
- memchr(fts_table->parent, '/', strlen(fts_table->parent)));
-
- if (slash) {
- /* Print up to and including the separator. */
- dbname_len = static_cast<int>(slash - fts_table->parent) + 1;
- }
+ strchr(fts_table->table->name, '/'));
+ ut_ad(slash);
+ /* Print up to and including the separator. */
+ dbname_len = static_cast<int>(slash - fts_table->table->name) + 1;
len = fts_get_table_id(fts_table, table_id);
@@ -127,7 +129,7 @@ fts_get_table_name_prefix(
prefix_name = static_cast<char*>(mem_alloc(prefix_name_len));
len = sprintf(prefix_name, "%.*sFTS_%s",
- dbname_len, fts_table->parent, table_id);
+ dbname_len, fts_table->table->name, table_id);
ut_a(len > 0);
ut_a(len == prefix_name_len - 1);
diff --git a/storage/innobase/include/fts0fts.h b/storage/innobase/include/fts0fts.h
index ce30a17c4b4..7265e42b0ab 100644
--- a/storage/innobase/include/fts0fts.h
+++ b/storage/innobase/include/fts0fts.h
@@ -151,7 +151,6 @@ do { \
(fts_table)->suffix = m_suffix; \
(fts_table)->type = m_type; \
(fts_table)->table_id = m_table->id; \
- (fts_table)->parent = m_table->name; \
(fts_table)->table = m_table; \
} while (0);
@@ -160,7 +159,6 @@ do { \
(fts_table)->suffix = m_suffix; \
(fts_table)->type = m_type; \
(fts_table)->table_id = m_index->table->id; \
- (fts_table)->parent = m_index->table->name; \
(fts_table)->table = m_index->table; \
(fts_table)->index_id = m_index->id; \
} while (0);
@@ -265,10 +263,6 @@ struct fts_result_t {
table id and the index id to generate the column specific FTS auxiliary
table name. */
struct fts_table_t {
- const char* parent; /*!< Parent table name, this is
- required only for the database
- name */
-
fts_table_type_t
type; /*!< The auxiliary table type */
@@ -424,7 +418,6 @@ fts_update_next_doc_id(
/*===================*/
trx_t* trx, /*!< in/out: transaction */
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id) /*!< in: DOC ID to set */
MY_ATTRIBUTE((nonnull(2)));
diff --git a/storage/innobase/row/row0ftsort.cc b/storage/innobase/row/row0ftsort.cc
index 6af93fb83fb..b5476cdfdbe 100644
--- a/storage/innobase/row/row0ftsort.cc
+++ b/storage/innobase/row/row0ftsort.cc
@@ -1500,7 +1500,6 @@ row_fts_merge_insert(
ins_ctx.fts_table.type = FTS_INDEX_TABLE;
ins_ctx.fts_table.index_id = index->id;
ins_ctx.fts_table.table_id = table->id;
- ins_ctx.fts_table.parent = index->table->name;
ins_ctx.fts_table.table = index->table;
space = table->space;
diff --git a/storage/innobase/row/row0merge.cc b/storage/innobase/row/row0merge.cc
index 4d836cebd6a..813194b1355 100644
--- a/storage/innobase/row/row0merge.cc
+++ b/storage/innobase/row/row0merge.cc
@@ -2070,8 +2070,7 @@ wait_again:
false, true, false);
if (err == DB_SUCCESS) {
- fts_update_next_doc_id(
- 0, new_table, old_table->name, max_doc_id);
+ fts_update_next_doc_id(NULL, new_table, max_doc_id);
}
}
diff --git a/storage/innobase/row/row0mysql.cc b/storage/innobase/row/row0mysql.cc
index 47e0368e787..e8d68b3c8fa 100644
--- a/storage/innobase/row/row0mysql.cc
+++ b/storage/innobase/row/row0mysql.cc
@@ -3831,7 +3831,7 @@ next_rec:
os_thread_sleep(10000000););
table->fts->fts_status |= TABLE_DICT_LOCKED;
- fts_update_next_doc_id(trx, table, NULL, 0);
+ fts_update_next_doc_id(trx, table, 0);
fts_cache_clear(table->fts->cache);
fts_cache_init(table->fts->cache);
table->fts->fts_status &= ~TABLE_DICT_LOCKED;
diff --git a/storage/xtradb/fts/fts0fts.cc b/storage/xtradb/fts/fts0fts.cc
index 1ea3a8d2c60..9c90ec91ce7 100644
--- a/storage/xtradb/fts/fts0fts.cc
+++ b/storage/xtradb/fts/fts0fts.cc
@@ -334,7 +334,6 @@ dberr_t
fts_update_sync_doc_id(
/*===================*/
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id, /*!< in: last document id */
trx_t* trx) /*!< in: update trx, or NULL */
MY_ATTRIBUTE((nonnull(1)));
@@ -2045,7 +2044,6 @@ fts_create_index_tables_low(
fts_table.type = FTS_INDEX_TABLE;
fts_table.index_id = index->id;
fts_table.table_id = table_id;
- fts_table.parent = table_name;
fts_table.table = index->table;
#ifdef FTS_DOC_STATS_DEBUG
@@ -2632,7 +2630,6 @@ fts_update_next_doc_id(
/*===================*/
trx_t* trx, /*!< in/out: transaction */
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id) /*!< in: DOC ID to set */
{
table->fts->cache->synced_doc_id = doc_id;
@@ -2641,7 +2638,7 @@ fts_update_next_doc_id(
table->fts->cache->first_doc_id = table->fts->cache->next_doc_id;
fts_update_sync_doc_id(
- table, table_name, table->fts->cache->synced_doc_id, trx);
+ table, table->fts->cache->synced_doc_id, trx);
}
@@ -2712,8 +2709,6 @@ retry:
fts_table.type = FTS_COMMON_TABLE;
fts_table.table = table;
- fts_table.parent = table->name;
-
trx = trx_allocate_for_background();
trx->op_info = "update the next FTS document id";
@@ -2770,7 +2765,7 @@ retry:
if (doc_id_cmp > *doc_id) {
error = fts_update_sync_doc_id(
- table, table->name, cache->synced_doc_id, trx);
+ table, cache->synced_doc_id, trx);
}
*doc_id = cache->next_doc_id;
@@ -2808,7 +2803,6 @@ dberr_t
fts_update_sync_doc_id(
/*===================*/
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id, /*!< in: last document id */
trx_t* trx) /*!< in: update trx, or NULL */
{
@@ -2825,11 +2819,6 @@ fts_update_sync_doc_id(
fts_table.table_id = table->id;
fts_table.type = FTS_COMMON_TABLE;
fts_table.table = table;
- if (table_name) {
- fts_table.parent = table_name;
- } else {
- fts_table.parent = table->name;
- }
if (!trx) {
trx = trx_allocate_for_background();
@@ -6260,7 +6249,6 @@ fts_rename_one_aux_table_to_hex_format(
ut_a(fts_table.suffix != NULL);
- fts_table.parent = parent_table->name;
fts_table.table_id = aux_table->parent_id;
fts_table.index_id = aux_table->index_id;
fts_table.table = parent_table;
diff --git a/storage/xtradb/fts/fts0opt.cc b/storage/xtradb/fts/fts0opt.cc
index 38906f47ccd..ad64f6d1d37 100644
--- a/storage/xtradb/fts/fts0opt.cc
+++ b/storage/xtradb/fts/fts0opt.cc
@@ -1603,12 +1603,10 @@ fts_optimize_create(
optim->trx = trx_allocate_for_background();
- optim->fts_common_table.parent = table->name;
optim->fts_common_table.table_id = table->id;
optim->fts_common_table.type = FTS_COMMON_TABLE;
optim->fts_common_table.table = table;
- optim->fts_index_table.parent = table->name;
optim->fts_index_table.table_id = table->id;
optim->fts_index_table.type = FTS_INDEX_TABLE;
optim->fts_index_table.table = table;
diff --git a/storage/xtradb/fts/fts0que.cc b/storage/xtradb/fts/fts0que.cc
index b9ad43c626a..fa91771a7b2 100644
--- a/storage/xtradb/fts/fts0que.cc
+++ b/storage/xtradb/fts/fts0que.cc
@@ -1,7 +1,7 @@
/*****************************************************************************
Copyright (c) 2007, 2018, Oracle and/or its affiliates. All Rights Reserved.
-Copyright (c) 2017, 2018, MariaDB Corporation.
+Copyright (c) 2017, 2019, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
@@ -3891,7 +3891,6 @@ fts_query(
query.fts_common_table.type = FTS_COMMON_TABLE;
query.fts_common_table.table_id = index->table->id;
- query.fts_common_table.parent = index->table->name;
query.fts_common_table.table = index->table;
charset = fts_index_get_charset(index);
@@ -3899,7 +3898,6 @@ fts_query(
query.fts_index_table.type = FTS_INDEX_TABLE;
query.fts_index_table.index_id = index->id;
query.fts_index_table.table_id = index->table->id;
- query.fts_index_table.parent = index->table->name;
query.fts_index_table.charset = charset;
query.fts_index_table.table = index->table;
diff --git a/storage/xtradb/fts/fts0sql.cc b/storage/xtradb/fts/fts0sql.cc
index cb8eff3cacc..dcc1e4c97e9 100644
--- a/storage/xtradb/fts/fts0sql.cc
+++ b/storage/xtradb/fts/fts0sql.cc
@@ -1,6 +1,7 @@
/*****************************************************************************
Copyright (c) 2007, 2013, Oracle and/or its affiliates. All Rights Reserved.
+Copyright (c) 2019, MariaDB Corporation.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
@@ -112,13 +113,14 @@ fts_get_table_name_prefix(
int prefix_name_len;
char table_id[FTS_AUX_MIN_TABLE_ID_LENGTH];
+#if 0 /* FIXME: protect the access to dict_table_t::name */
+ ut_ad(mutex_own(&dict_sys->mutex));
+#endif
slash = static_cast<const char*>(
- memchr(fts_table->parent, '/', strlen(fts_table->parent)));
-
- if (slash) {
- /* Print up to and including the separator. */
- dbname_len = static_cast<int>(slash - fts_table->parent) + 1;
- }
+ strchr(fts_table->table->name, '/'));
+ ut_ad(slash);
+ /* Print up to and including the separator. */
+ dbname_len = static_cast<int>(slash - fts_table->table->name) + 1;
len = fts_get_table_id(fts_table, table_id);
@@ -127,7 +129,7 @@ fts_get_table_name_prefix(
prefix_name = static_cast<char*>(mem_alloc(prefix_name_len));
len = sprintf(prefix_name, "%.*sFTS_%s",
- dbname_len, fts_table->parent, table_id);
+ dbname_len, fts_table->table->name, table_id);
ut_a(len > 0);
ut_a(len == prefix_name_len - 1);
diff --git a/storage/xtradb/include/fts0fts.h b/storage/xtradb/include/fts0fts.h
index ce30a17c4b4..7265e42b0ab 100644
--- a/storage/xtradb/include/fts0fts.h
+++ b/storage/xtradb/include/fts0fts.h
@@ -151,7 +151,6 @@ do { \
(fts_table)->suffix = m_suffix; \
(fts_table)->type = m_type; \
(fts_table)->table_id = m_table->id; \
- (fts_table)->parent = m_table->name; \
(fts_table)->table = m_table; \
} while (0);
@@ -160,7 +159,6 @@ do { \
(fts_table)->suffix = m_suffix; \
(fts_table)->type = m_type; \
(fts_table)->table_id = m_index->table->id; \
- (fts_table)->parent = m_index->table->name; \
(fts_table)->table = m_index->table; \
(fts_table)->index_id = m_index->id; \
} while (0);
@@ -265,10 +263,6 @@ struct fts_result_t {
table id and the index id to generate the column specific FTS auxiliary
table name. */
struct fts_table_t {
- const char* parent; /*!< Parent table name, this is
- required only for the database
- name */
-
fts_table_type_t
type; /*!< The auxiliary table type */
@@ -424,7 +418,6 @@ fts_update_next_doc_id(
/*===================*/
trx_t* trx, /*!< in/out: transaction */
const dict_table_t* table, /*!< in: table */
- const char* table_name, /*!< in: table name, or NULL */
doc_id_t doc_id) /*!< in: DOC ID to set */
MY_ATTRIBUTE((nonnull(2)));
diff --git a/storage/xtradb/row/row0ftsort.cc b/storage/xtradb/row/row0ftsort.cc
index d3c8b9a80bd..6ae7827777a 100644
--- a/storage/xtradb/row/row0ftsort.cc
+++ b/storage/xtradb/row/row0ftsort.cc
@@ -1503,7 +1503,6 @@ row_fts_merge_insert(
ins_ctx.fts_table.type = FTS_INDEX_TABLE;
ins_ctx.fts_table.index_id = index->id;
ins_ctx.fts_table.table_id = table->id;
- ins_ctx.fts_table.parent = index->table->name;
ins_ctx.fts_table.table = index->table;
space = table->space;
diff --git a/storage/xtradb/row/row0merge.cc b/storage/xtradb/row/row0merge.cc
index 75d7397e7ee..2a8a0b06b11 100644
--- a/storage/xtradb/row/row0merge.cc
+++ b/storage/xtradb/row/row0merge.cc
@@ -2083,8 +2083,7 @@ wait_again:
false, true, false);
if (err == DB_SUCCESS) {
- fts_update_next_doc_id(
- 0, new_table, old_table->name, max_doc_id);
+ fts_update_next_doc_id(NULL, new_table, max_doc_id);
}
}
diff --git a/storage/xtradb/row/row0mysql.cc b/storage/xtradb/row/row0mysql.cc
index a21e32cb91e..6ee7f702b70 100644
--- a/storage/xtradb/row/row0mysql.cc
+++ b/storage/xtradb/row/row0mysql.cc
@@ -3841,7 +3841,7 @@ next_rec:
os_thread_sleep(10000000););
table->fts->fts_status |= TABLE_DICT_LOCKED;
- fts_update_next_doc_id(trx, table, NULL, 0);
+ fts_update_next_doc_id(trx, table, 0);
fts_cache_clear(table->fts->cache);
fts_cache_init(table->fts->cache);
table->fts->fts_status &= ~TABLE_DICT_LOCKED;