diff options
| author | evgen@moonbone.local <> | 2008-01-09 00:40:41 +0300 |
|---|---|---|
| committer | evgen@moonbone.local <> | 2008-01-09 00:40:41 +0300 |
| commit | ce111a0d734951a363e2f44670e0e40100d7f757 (patch) | |
| tree | 927a02087cade37f0b1badec2fd589d545af1a62 /sql/filesort.cc | |
| parent | 7fe932ed82839a82bfa7eea058766947e976cf9c (diff) | |
| download | mariadb-git-ce111a0d734951a363e2f44670e0e40100d7f757.tar.gz | |
Bug#33675: Usage of an uninitialized memory by filesort in a subquery caused
server crash.
The filesort implementation has an optimization for subquery execution which
consists of reusing previously allocated buffers. In particular the call to
the read_buffpek_from_file function might be skipped when a big enough buffer
for buffer descriptors (buffpeks) is already allocated. Beside allocating
memory for buffpeks this function fills allocated buffer with data read from
disk. Skipping it might led to using an arbitrary memory as fields' data and
finally to a crash.
Now the read_buffpek_from_file function is always called. It allocates
new buffer only when necessary, but always fill it with correct data.
Diffstat (limited to 'sql/filesort.cc')
| -rw-r--r-- | sql/filesort.cc | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/sql/filesort.cc b/sql/filesort.cc index 08ffa2211fa..5a8e3627758 100644 --- a/sql/filesort.cc +++ b/sql/filesort.cc @@ -37,7 +37,8 @@ if (my_b_write((file),(byte*) (from),param->ref_length)) \ static char **make_char_array(char **old_pos, register uint fields, uint length, myf my_flag); -static BUFFPEK *read_buffpek_from_file(IO_CACHE *buffer_file, uint count); +static byte *read_buffpek_from_file(IO_CACHE *buffer_file, uint count, + byte *buf); static ha_rows find_all_keys(SORTPARAM *param,SQL_SELECT *select, uchar * *sort_keys, IO_CACHE *buffer_file, IO_CACHE *tempfile,IO_CACHE *indexfile); @@ -238,9 +239,10 @@ ha_rows filesort(THD *thd, TABLE *table, SORT_FIELD *sortorder, uint s_length, } else { - if (!table_sort.buffpek && table_sort.buffpek_len < maxbuffer && - !(table_sort.buffpek= - (byte *) read_buffpek_from_file(&buffpek_pointers, maxbuffer))) + if (!(table_sort.buffpek= + read_buffpek_from_file(&buffpek_pointers, maxbuffer, + (table_sort.buffpek_len < maxbuffer ? + NULL : table_sort.buffpek)))) goto err; buffpek= (BUFFPEK *) table_sort.buffpek; table_sort.buffpek_len= maxbuffer; @@ -368,18 +370,20 @@ static char **make_char_array(char **old_pos, register uint fields, /* Read 'count' number of buffer pointers into memory */ -static BUFFPEK *read_buffpek_from_file(IO_CACHE *buffpek_pointers, uint count) +static byte *read_buffpek_from_file(IO_CACHE *buffpek_pointers, uint count, + byte *buf) { - ulong length; - BUFFPEK *tmp; + ulong length= sizeof(BUFFPEK)*count; + byte *tmp= buf; DBUG_ENTER("read_buffpek_from_file"); if (count > UINT_MAX/sizeof(BUFFPEK)) return 0; /* sizeof(BUFFPEK)*count will overflow */ - tmp=(BUFFPEK*) my_malloc(length=sizeof(BUFFPEK)*count, MYF(MY_WME)); + if (!tmp) + tmp= (byte *)my_malloc(length, MYF(MY_WME)); if (tmp) { if (reinit_io_cache(buffpek_pointers,READ_CACHE,0L,0,0) || - my_b_read(buffpek_pointers, (byte*) tmp, length)) + my_b_read(buffpek_pointers, tmp, length)) { my_free((char*) tmp, MYF(0)); tmp=0; |