diff options
| author | Sergey Glukhov <Sergey.Glukhov@sun.com> | 2009-05-27 15:34:21 +0500 |
|---|---|---|
| committer | Sergey Glukhov <Sergey.Glukhov@sun.com> | 2009-05-27 15:34:21 +0500 |
| commit | cb07978da9a24244cf71d9be86eeb794088f67c7 (patch) | |
| tree | 6e9f81a0f0284469dd98521f14915cac7de9d740 | |
| parent | 2b4fcc1dbfaa459eeb5299eb0e372ab461b06278 (diff) | |
| download | mariadb-git-cb07978da9a24244cf71d9be86eeb794088f67c7.tar.gz | |
Bug#41212 crash after race condition between merge table and table_cache evictions
On 64-bit Windows: querying MERGE table with keys may cause
server crash.The problem is generic and may affect any statement
accessing MERGE table cardinality values.
When MERGE engine was copying cardinality statistics, it was
using incorrect size of element in cardinality statistics array
(sizeof(ptr)==8 instead of sizeof(ulong)==4), causing access
of memory beyond of the allocated bounds.
| -rw-r--r-- | sql/ha_myisam.cc | 2 | ||||
| -rw-r--r-- | sql/ha_myisammrg.cc | 4 | ||||
| -rw-r--r-- | sql/table.cc | 2 |
3 files changed, 4 insertions, 4 deletions
diff --git a/sql/ha_myisam.cc b/sql/ha_myisam.cc index 5ed791d0f68..95b7b338131 100644 --- a/sql/ha_myisam.cc +++ b/sql/ha_myisam.cc @@ -1684,7 +1684,7 @@ int ha_myisam::info(uint flag) if (share->key_parts) memcpy((char*) table->key_info[0].rec_per_key, (char*) misam_info.rec_per_key, - sizeof(table->key_info[0].rec_per_key)*share->key_parts); + sizeof(table->key_info[0].rec_per_key[0])*share->key_parts); raid_type= misam_info.raid_type; raid_chunks= misam_info.raid_chunks; raid_chunksize= misam_info.raid_chunksize; diff --git a/sql/ha_myisammrg.cc b/sql/ha_myisammrg.cc index f15a37efdc5..fef2e21d271 100644 --- a/sql/ha_myisammrg.cc +++ b/sql/ha_myisammrg.cc @@ -402,11 +402,11 @@ int ha_myisammrg::info(uint flag) with such a number, it'll be an error later anyway. */ bzero((char*) table->key_info[0].rec_per_key, - sizeof(table->key_info[0].rec_per_key) * table->s->key_parts); + sizeof(table->key_info[0].rec_per_key[0]) * table->s->key_parts); #endif memcpy((char*) table->key_info[0].rec_per_key, (char*) mrg_info.rec_per_key, - sizeof(table->key_info[0].rec_per_key) * + sizeof(table->key_info[0].rec_per_key[0]) * min(file->keys, table->s->key_parts)); } } diff --git a/sql/table.cc b/sql/table.cc index c559b4bb7fd..55a9b50605d 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -233,7 +233,7 @@ int openfrm(THD *thd, const char *name, const char *alias, uint db_stat, ulong *rec_per_key; if (!(rec_per_key= (ulong*) alloc_root(&outparam->mem_root, - sizeof(ulong*)*key_parts))) + sizeof(ulong)*key_parts))) goto err; for (i=0 ; i < keys ; i++, keyinfo++) |