BUG#47598 - MyISAM may write uninitialized data to disk

When MyISAM writes newly created index page it may be
initialized partially. In other words some bytes of
sensible data and uninitialized tail of the page may
go into index file.

Under certain rare circumstances these hunks of memory
may contain data that would be otherwise inaccessible
to user, like passwords or data from other tables.

Fixed by initializing memory for temporary MyISAM key
buffer to '\0'.

No test case for this fix as it is heavily covered by
existing tests.

storage/myisam/mi_open.c:
  When creating new MI_INFO object, initialize MI_INFO::buff.
  This is done to ensure that we never write uninitialized
  memory hunks to index file.
storage/myisam/mi_page.c:
  No need to silence memory error detector anymore,
  page buffer is always initialized.
storage/myisam/mi_write.c:
  Fixed invalid memory read of 2 bytes. new_right_length
  is length of data on a page, including first 2 bytes
  that store this length itself. pos + k_length is pure
  data excluding these 2 bytes containing length.
storage/myisam/rt_index.c:
  To avoid uninitialized data write, create new page
  on info->buff, instead of locally allocated buffer.
  
  Note: second key block on info->buff is used here,
  because first block is used by called functions.
storage/myisam/rt_split.c:
  To avoid uninitialized data write, create new page
  on info->buff, instead of locally allocated buffer.

5 files changed, 7 insertions, 26 deletions

diff --git a/storage/myisam/mi_open.c b/storage/myisam/mi_open.c
index e18146f2357..f2f390862bd 100644
--- a/storage/myisam/mi_open.c
+++ b/storage/myisam/mi_open.c
@@ -652,6 +652,9 @@ MI_INFO *mi_open(const char *name, int mode, uint open_flags)
   myisam_open_list=list_add(myisam_open_list,&m_info->open_list);
 
   pthread_mutex_unlock(&THR_LOCK_myisam);
+
+  bzero(info.buff, share->base.max_key_block_length * 2);
+
   if (myisam_log_file >= 0)
   {
     intern_filename(name_buff,share->index_file_name);
diff --git a/storage/myisam/mi_page.c b/storage/myisam/mi_page.c
index 23a2526f756..76fac8688a7 100644
--- a/storage/myisam/mi_page.c
+++ b/storage/myisam/mi_page.c
@@ -86,13 +86,6 @@ int _mi_write_keypage(register MI_INFO *info, register MI_KEYDEF *keyinfo,
   if ((length=keyinfo->block_length) > IO_SIZE*2 &&
       info->state->key_file_length != page+length)
     length= ((mi_getint(buff)+IO_SIZE-1) & (uint) ~(IO_SIZE-1));
-#ifdef HAVE_purify
-  {
-    length=mi_getint(buff);
-    bzero((uchar*) buff+length,keyinfo->block_length-length);
-    length=keyinfo->block_length;
-  }
-#endif
   DBUG_RETURN((key_cache_write(info->s->key_cache,
                          info->s->kfile,page, level, (uchar*) buff,length,
 			 (uint) keyinfo->block_length,
diff --git a/storage/myisam/mi_write.c b/storage/myisam/mi_write.c
index 624c31e57ff..72a4e006cc6 100644
--- a/storage/myisam/mi_write.c
+++ b/storage/myisam/mi_write.c
@@ -825,7 +825,7 @@ static int _mi_balance_page(register MI_INFO *info, MI_KEYDEF *keyinfo,
 	     (size_t) (length=new_left_length - left_length - k_length));
       pos=buff+2+length;
       memcpy((uchar*) father_key_pos,(uchar*) pos,(size_t) k_length);
-      bmove((uchar*) buff+2,(uchar*) pos+k_length,new_right_length);
+      bmove((uchar*) buff + 2, (uchar*) pos + k_length, new_right_length - 2);
     }
     else
     {						/* Move keys -> buff */
diff --git a/storage/myisam/rt_index.c b/storage/myisam/rt_index.c
index 31241a83228..410badd3145 100644
--- a/storage/myisam/rt_index.c
+++ b/storage/myisam/rt_index.c
@@ -641,18 +641,12 @@ static int rtree_insert_level(MI_INFO *info, uint keynr, uchar *key,
     }
     case 1: /* root was split, grow a new root */
     { 
-      uchar *new_root_buf;
+      uchar *new_root_buf= info->buff + info->s->base.max_key_block_length;
       my_off_t new_root;
       uchar *new_key;
       uint nod_flag = info->s->base.key_reflength;
 
       DBUG_PRINT("rtree", ("root was split, grow a new root"));
-      if (!(new_root_buf = (uchar*)my_alloca((uint)keyinfo->block_length + 
-                                             MI_MAX_KEY_BUFF)))
-      {
-        my_errno = HA_ERR_OUT_OF_MEM;
-        DBUG_RETURN(-1); /* purecov: inspected */
-      }
 
       mi_putint(new_root_buf, 2, nod_flag);
       if ((new_root = _mi_new(info, keyinfo, DFLT_INIT_HITS)) ==
@@ -680,10 +674,8 @@ static int rtree_insert_level(MI_INFO *info, uint keynr, uchar *key,
       DBUG_PRINT("rtree", ("new root page: %lu  level: %d  nod_flag: %u",
                            (ulong) new_root, 0, mi_test_if_nod(new_root_buf)));
 
-      my_afree((uchar*)new_root_buf);
       break;
 err1:
-      my_afree((uchar*)new_root_buf);
       DBUG_RETURN(-1); /* purecov: inspected */
     }
     default:
diff --git a/storage/myisam/rt_split.c b/storage/myisam/rt_split.c
index ef988dbd048..88cf643faf9 100644
--- a/storage/myisam/rt_split.c
+++ b/storage/myisam/rt_split.c
@@ -258,7 +258,7 @@ int rtree_split_page(MI_INFO *info, MI_KEYDEF *keyinfo, uchar *page, uchar *key,
   double *old_coord;
   int n_dim;
   uchar *source_cur, *cur1, *cur2;
-  uchar *new_page;
+  uchar *new_page= info->buff;
   int err_code= 0;
   uint nod_flag= mi_test_if_nod(page);
   uint full_length= key_length + (nod_flag ? nod_flag : 
@@ -304,12 +304,7 @@ int rtree_split_page(MI_INFO *info, MI_KEYDEF *keyinfo, uchar *page, uchar *key,
     goto split_err;
   }
 
-  if (!(new_page = (uchar*)my_alloca((uint)keyinfo->block_length)))
-  {
-    err_code= -1;
-    goto split_err;
-  }
-  
+  info->buff_used= 1;
   stop = task + (max_keys + 1);
   cur1 = rt_PAGE_FIRST_KEY(page, nod_flag);
   cur2 = rt_PAGE_FIRST_KEY(new_page, nod_flag);
@@ -345,8 +340,6 @@ int rtree_split_page(MI_INFO *info, MI_KEYDEF *keyinfo, uchar *page, uchar *key,
                                 DFLT_INIT_HITS, new_page);
   DBUG_PRINT("rtree", ("split new block: %lu", (ulong) *new_page_offs));
 
-  my_afree((uchar*)new_page);
-
 split_err:
   my_afree((uchar*) coord_buf);
   DBUG_RETURN(err_code);