MDEV-24620 ASAN heap-buffer-overflow in btr_pcur_restore_position()bb-10.3-MDEV-24620

Between btr_pcur_store_position() and btr_pcur_restore_position()
it is possible that purge empties a table and enlarges
index->n_core_fields and index->n_core_null_bytes.
Therefore, we must cache index->n_core_fields in
btr_pcur_t::old_n_core_fields so that btr_pcur_t::old_rec can be
parsed correctly.

Unfortunately, this is a huge change, because we will replace
"bool leaf" parameters with "ulint n_core"
(passing index->n_core_fields, or 0 for non-leaf pages).
For special cases where we know that index->is_instant() cannot hold,
we may also pass index->n_fields.

1 files changed, 3 insertions, 2 deletions

diff --git a/storage/innobase/include/page0cur.ic b/storage/innobase/include/page0cur.ic
index 4d7b5c3a42f..7896aa64792 100644
--- a/storage/innobase/include/page0cur.ic
+++ b/storage/innobase/include/page0cur.ic
@@ -1,7 +1,7 @@
 /*****************************************************************************
 
 Copyright (c) 1994, 2014, Oracle and/or its affiliates. All Rights Reserved.
-Copyright (c) 2015, 2018, MariaDB Corporation.
+Copyright (c) 2015, 2021, MariaDB Corporation.
 
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
@@ -278,7 +278,8 @@ page_cur_tuple_insert(
 					index, tuple, n_ext);
 
 	*offsets = rec_get_offsets(rec, index, *offsets,
-				   page_is_leaf(cursor->block->frame),
+				   page_is_leaf(cursor->block->frame)
+				   ? index->n_core_fields : 0,
 				   ULINT_UNDEFINED, heap);
 
 	if (buf_block_get_page_zip(cursor->block)) {