limit frm size, when reading it in memory

author: Sergei Golubchik <sergii@pisem.net> 2013-04-09 16:18:47 +0200
committer: Sergei Golubchik <sergii@pisem.net> 2013-04-09 16:18:47 +0200
commit: 37379ef0ed598ee553907d87bbf2a7dfcdbc34f1 (patch)
tree: 72d17bfc8574d1a4221b7fc964e186de9ef45473
parent: e71cda83c685a27a4ec4f9d3083fed3f44b22642 (diff)
download: mariadb-git-37379ef0ed598ee553907d87bbf2a7dfcdbc34f1.tar.gz
3 files changed, 8 insertions, 4 deletions
diff --git a/sql/discover.cc b/sql/discover.cc
index a499e234a8f..5add741fc0c 100644
--- a/sql/discover.cc
+++ b/sql/discover.cc
@@ -70,7 +70,7 @@ int readfrm(const char *name, const uchar **frmdata, size_t *len)
   error= 2;
   if (mysql_file_fstat(file, &state, MYF(0)))
     goto err;
-  read_len= (size_t)state.st_size;  
+  read_len= (size_t)min(FRM_MAX_SIZE, state.st_size); // safety
 
   // Read whole frm file
   error= 3;
diff --git a/sql/table.cc b/sql/table.cc
index c35e9b5dde0..b311d8cb0a6 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -596,6 +596,7 @@ enum open_frm_error open_table_def(THD *thd, TABLE_SHARE *share, uint flags)
   uchar *buf;
   uchar head[FRM_HEADER_SIZE];
   char	path[FN_REFLEN];
+  size_t frmlen;
   DBUG_ENTER("open_table_def");
   DBUG_PRINT("enter", ("table: '%s'.'%s'  path: '%s'", share->db.str,
                        share->table_name.str, share->normalized_path.str));
@@ -642,13 +643,15 @@ enum open_frm_error open_table_def(THD *thd, TABLE_SHARE *share, uint flags)
   if (my_fstat(file, &stats, MYF(0)))
     goto err;
 
-  if (!(buf= (uchar*)my_malloc(stats.st_size, MYF(MY_THREAD_SPECIFIC|MY_WME))))
+  frmlen= min(FRM_MAX_SIZE, stats.st_size); // safety
+
+  if (!(buf= (uchar*)my_malloc(frmlen, MYF(MY_THREAD_SPECIFIC|MY_WME))))
     goto err;
 
   memcpy(buf, head, sizeof(head));
 
   if (mysql_file_read(file, buf + sizeof(head),
-                      stats.st_size - sizeof(head), MYF(MY_NABP)))
+                      frmlen - sizeof(head), MYF(MY_NABP)))
   {
     share->error = my_errno == HA_ERR_FILE_TOO_SHORT
                       ? OPEN_FRM_CORRUPTED : OPEN_FRM_READ_ERROR;
@@ -657,7 +660,7 @@ enum open_frm_error open_table_def(THD *thd, TABLE_SHARE *share, uint flags)
   }
   mysql_file_close(file, MYF(MY_WME));
 
-  share->init_from_binary_frm_image(thd, false, buf, stats.st_size);
+  share->init_from_binary_frm_image(thd, false, buf, frmlen);
   error_given= true; // init_from_binary_frm_image has already called my_error()
   my_free(buf);
 
diff --git a/sql/unireg.h b/sql/unireg.h
index 8fba6e5cfbe..0ef69beb08a 100644
--- a/sql/unireg.h
+++ b/sql/unireg.h
@@ -193,6 +193,7 @@ LEX_CUSTRING build_frm_image(THD *thd, const char *table,
 
 #define FRM_HEADER_SIZE 64
 #define FRM_FORMINFO_SIZE 288
+#define FRM_MAX_SIZE (256*1024)
 
 static inline bool is_binary_frm_header(uchar *head)
 {
author	Sergei Golubchik <sergii@pisem.net>	2013-04-09 16:18:47 +0200
committer	Sergei Golubchik <sergii@pisem.net>	2013-04-09 16:18:47 +0200
commit	37379ef0ed598ee553907d87bbf2a7dfcdbc34f1 (patch)
tree	72d17bfc8574d1a4221b7fc964e186de9ef45473
parent	e71cda83c685a27a4ec4f9d3083fed3f44b22642 (diff)
download	mariadb-git-37379ef0ed598ee553907d87bbf2a7dfcdbc34f1.tar.gz