diff options
| author | Marko Mäkelä <marko.makela@mariadb.com> | 2020-06-06 09:32:18 +0300 |
|---|---|---|
| committer | Marko Mäkelä <marko.makela@mariadb.com> | 2020-06-06 09:33:48 +0300 |
| commit | 1bd5b75c733840813ea1fe18c5908422a707e677 (patch) | |
| tree | 82ab829b983b0254257ce41f91f9779d88ed8661 | |
| parent | 7a695d8a82eaaa7db0cf4484b22fc3db3d43ac49 (diff) | |
| download | mariadb-git-1bd5b75c733840813ea1fe18c5908422a707e677.tar.gz | |
MDEV-22818 Server crash on corrupted ROW_FORMAT=COMPRESSED page
page_zip_fields_decode(): Do not dereference index=NULL.
Instead, return NULL early. The only caller does not care
about the values of output parameters in that case.
This bug was introduced in MySQL 5.7.6 by
mysql/mysql-server@9eae0edb7a8e4004328e61157f5f3b39cebe1b2b
and in MariaDB 10.2.2 by
commit 2e814d4702d71a04388386a9f591d14a35980bfe.
Thanks to my son for pointing this out after investigating
the output of a static analysis tool.
| -rw-r--r-- | storage/innobase/page/page0zip.cc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/storage/innobase/page/page0zip.cc b/storage/innobase/page/page0zip.cc index ee82fdbd7cd..b507945f076 100644 --- a/storage/innobase/page/page0zip.cc +++ b/storage/innobase/page/page0zip.cc @@ -1756,8 +1756,9 @@ page_zip_fields_decode( if (!val) { val = ULINT_UNDEFINED; } else if (UNIV_UNLIKELY(val >= n)) { +fail: page_zip_fields_free(index); - index = NULL; + return NULL; } else { index->type = DICT_CLUSTERED; } @@ -1766,8 +1767,7 @@ page_zip_fields_decode( } else { /* Decode the number of nullable fields. */ if (UNIV_UNLIKELY(index->n_nullable > val)) { - page_zip_fields_free(index); - index = NULL; + goto fail; } else { index->n_nullable = unsigned(val); } |