MDEV-22337 Assertion `Alloced_length >= (str_length + length +...

Fix pointer calculations in the Session_tracker::store. Most of the fix for this bug goes to the 10.5, but this part should be also fixed earlier.
author: Alexey Botchkov <holyfoot@askmonty.org> 2020-04-29 11:06:48 +0400
committer: Alexey Botchkov <holyfoot@askmonty.org> 2020-04-29 11:06:48 +0400
commit: 4af4284b79ca05ca18c59051eca4705fc3b20181 (patch)
tree: f34d07bb8b987c5024747c987ba2745b7afc7192
parent: dd5c307cb00bfde6c88bf125f61b3e0d85dc79a5 (diff)
download: mariadb-git-4af4284b79ca05ca18c59051eca4705fc3b20181.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/sql/session_tracker.cc b/sql/session_tracker.cc
index 4ca94b6cd60..7538295fcea 100644
--- a/sql/session_tracker.cc
+++ b/sql/session_tracker.cc
@@ -1693,7 +1693,7 @@ void Session_tracker::store(THD *thd, String *buf)
   }
 
   size_t length= buf->length() - start;
-  uchar *data= (uchar *)(buf->ptr() + start);
+  uchar *data;
   uint size;
 
   if ((size= net_length_size(length)) != 1)
@@ -1703,8 +1703,16 @@ void Session_tracker::store(THD *thd, String *buf)
       buf->length(start); // it is safer to have 0-length block in case of error
       return;
     }
+
+    /*
+      The 'buf->reserve()' can change the buf->ptr() so we cannot
+      calculate the 'data' earlier.
+    */
+    data= (uchar *)(buf->ptr() + start);
     memmove(data + (size - 1), data, length);
   }
+  else
+    data= (uchar *)(buf->ptr() + start);
 
   net_store_length(data - 1, length);
 }
author	Alexey Botchkov <holyfoot@askmonty.org>	2020-04-29 11:06:48 +0400
committer	Alexey Botchkov <holyfoot@askmonty.org>	2020-04-29 11:06:48 +0400
commit	4af4284b79ca05ca18c59051eca4705fc3b20181 (patch)
tree	f34d07bb8b987c5024747c987ba2745b7afc7192
parent	dd5c307cb00bfde6c88bf125f61b3e0d85dc79a5 (diff)
download	mariadb-git-4af4284b79ca05ca18c59051eca4705fc3b20181.tar.gz