diff options
| author | Monty <monty@mariadb.org> | 2021-02-01 18:46:34 +0200 |
|---|---|---|
| committer | Monty <monty@mariadb.org> | 2021-02-03 02:22:47 +0200 |
| commit | eacefbca3596fa9cb853272265855d4efafd5f24 (patch) | |
| tree | b1c3bce08841852163468bc4fff595ad2aba4907 /mysys/safemalloc.c | |
| parent | b76e5c66107d75d0161d8f8ab3cf05fc360c831e (diff) | |
| download | mariadb-git-eacefbca3596fa9cb853272265855d4efafd5f24.tar.gz | |
MDEV-24750 Various corruptions caused by Aria subsystem...
The test case was setting aria_sort_buffer_size to MAX_ULONGLONG-1
which was not handled gracefully by my_malloc() or safemalloc().
Fixed by ensuring that the malloc functions returns 0 if the size
is too big.
I also added some protection to Aria repair:
- Limit sort_buffer_size to 16G (after that a bigger sort buffer will
not help that much anyway)
- Limit sort_buffer_size also according to sort file size. This will
help by not allocating less memory if someone sets the buffer size too
high.
Diffstat (limited to 'mysys/safemalloc.c')
| -rw-r--r-- | mysys/safemalloc.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/mysys/safemalloc.c b/mysys/safemalloc.c index d38c3bcfb66..e2d59f8e824 100644 --- a/mysys/safemalloc.c +++ b/mysys/safemalloc.c @@ -115,9 +115,10 @@ void *sf_malloc(size_t size, myf my_flags) init_done= 1; } - irem= (struct st_irem *) malloc (sizeof(struct st_irem) + size + 4); + if (size > SIZE_T_MAX - 1024L*1024L*16L) /* Wrong call */ + return 0; - if (!irem) + if (!(irem= (struct st_irem *) malloc (sizeof(struct st_irem) + size + 4))) return 0; /* we guarantee the alignment */ |