diff options
author | Sergei Golubchik <sergii@pisem.net> | 2013-04-09 16:18:47 +0200 |
---|---|---|
committer | Sergei Golubchik <sergii@pisem.net> | 2013-04-09 16:18:47 +0200 |
commit | 37379ef0ed598ee553907d87bbf2a7dfcdbc34f1 (patch) | |
tree | 72d17bfc8574d1a4221b7fc964e186de9ef45473 | |
parent | e71cda83c685a27a4ec4f9d3083fed3f44b22642 (diff) | |
download | mariadb-git-37379ef0ed598ee553907d87bbf2a7dfcdbc34f1.tar.gz |
limit frm size, when reading it in memory
-rw-r--r-- | sql/discover.cc | 2 | ||||
-rw-r--r-- | sql/table.cc | 9 | ||||
-rw-r--r-- | sql/unireg.h | 1 |
3 files changed, 8 insertions, 4 deletions
diff --git a/sql/discover.cc b/sql/discover.cc index a499e234a8f..5add741fc0c 100644 --- a/sql/discover.cc +++ b/sql/discover.cc @@ -70,7 +70,7 @@ int readfrm(const char *name, const uchar **frmdata, size_t *len) error= 2; if (mysql_file_fstat(file, &state, MYF(0))) goto err; - read_len= (size_t)state.st_size; + read_len= (size_t)min(FRM_MAX_SIZE, state.st_size); // safety // Read whole frm file error= 3; diff --git a/sql/table.cc b/sql/table.cc index c35e9b5dde0..b311d8cb0a6 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -596,6 +596,7 @@ enum open_frm_error open_table_def(THD *thd, TABLE_SHARE *share, uint flags) uchar *buf; uchar head[FRM_HEADER_SIZE]; char path[FN_REFLEN]; + size_t frmlen; DBUG_ENTER("open_table_def"); DBUG_PRINT("enter", ("table: '%s'.'%s' path: '%s'", share->db.str, share->table_name.str, share->normalized_path.str)); @@ -642,13 +643,15 @@ enum open_frm_error open_table_def(THD *thd, TABLE_SHARE *share, uint flags) if (my_fstat(file, &stats, MYF(0))) goto err; - if (!(buf= (uchar*)my_malloc(stats.st_size, MYF(MY_THREAD_SPECIFIC|MY_WME)))) + frmlen= min(FRM_MAX_SIZE, stats.st_size); // safety + + if (!(buf= (uchar*)my_malloc(frmlen, MYF(MY_THREAD_SPECIFIC|MY_WME)))) goto err; memcpy(buf, head, sizeof(head)); if (mysql_file_read(file, buf + sizeof(head), - stats.st_size - sizeof(head), MYF(MY_NABP))) + frmlen - sizeof(head), MYF(MY_NABP))) { share->error = my_errno == HA_ERR_FILE_TOO_SHORT ? OPEN_FRM_CORRUPTED : OPEN_FRM_READ_ERROR; @@ -657,7 +660,7 @@ enum open_frm_error open_table_def(THD *thd, TABLE_SHARE *share, uint flags) } mysql_file_close(file, MYF(MY_WME)); - share->init_from_binary_frm_image(thd, false, buf, stats.st_size); + share->init_from_binary_frm_image(thd, false, buf, frmlen); error_given= true; // init_from_binary_frm_image has already called my_error() my_free(buf); diff --git a/sql/unireg.h b/sql/unireg.h index 8fba6e5cfbe..0ef69beb08a 100644 --- a/sql/unireg.h +++ b/sql/unireg.h @@ -193,6 +193,7 @@ LEX_CUSTRING build_frm_image(THD *thd, const char *table, #define FRM_HEADER_SIZE 64 #define FRM_FORMINFO_SIZE 288 +#define FRM_MAX_SIZE (256*1024) static inline bool is_binary_frm_header(uchar *head) { |