Bug#25172: Not checked buffer size leads to a server crash.

After fix for bug#21798 JOIN stores the pointer to the buffer for sorting fields. It is used while sorting for grouping and for ordering. If ORDER BY clause has more elements then the GROUP BY clause then a memory overrun occurs. Now the length of the ORDER BY list is always passed to the make_unireg_sortorder() function and it allocates buffer big enough to be used for bigger list.
author: evgen@moonbone.local <> 2007-01-19 18:34:09 +0300
committer: evgen@moonbone.local <> 2007-01-19 18:34:09 +0300
commit: d7d5db64ec83dc83728803bc9756dc53668da3c0 (patch)
tree: 2261174445362ee68b36085a334b263371a58648 /sql/sql_table.cc
parent: f3b3f1ef73d32d75926266989702dcacdc5a8f73 (diff)
download: mariadb-git-d7d5db64ec83dc83728803bc9756dc53668da3c0.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index b3bd3182a59..fd52b9becf6 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -3883,7 +3883,7 @@ copy_data_between_tables(TABLE *from,TABLE *to,
   Copy_field *copy,*copy_end;
   ulong found_count,delete_count;
   THD *thd= current_thd;
-  uint length;
+  uint length= 0;
   SORT_FIELD *sortorder;
   READ_RECORD info;
   TABLE_LIST   tables;
author	evgen@moonbone.local <>	2007-01-19 18:34:09 +0300
committer	evgen@moonbone.local <>	2007-01-19 18:34:09 +0300
commit	d7d5db64ec83dc83728803bc9756dc53668da3c0 (patch)
tree	2261174445362ee68b36085a334b263371a58648 /sql/sql_table.cc
parent	f3b3f1ef73d32d75926266989702dcacdc5a8f73 (diff)
download	mariadb-git-d7d5db64ec83dc83728803bc9756dc53668da3c0.tar.gz