diff options
| author | Venkata Sidagam <venkata.sidagam@oracle.com> | 2012-11-09 19:19:11 +0530 |
|---|---|---|
| committer | Venkata Sidagam <venkata.sidagam@oracle.com> | 2012-11-09 19:19:11 +0530 |
| commit | 9749b60ee83da745f38f61e479476bd818dce850 (patch) | |
| tree | 89745cb50bc371f025f789b699e298fffbba9fe3 /storage/myisam/mi_search.c | |
| parent | c4b86599b200b57768f8f0cb58fe01a8cfc1fe23 (diff) | |
| download | mariadb-git-9749b60ee83da745f38f61e479476bd818dce850.tar.gz | |
Bug#13556000: CHECK AND REPAIR TABLE SHOULD BE MORE ROBUST[2]
Problem description: Corrupt key file for the table. Size of the
key is greater than the maximum specified size. This results in
the overflow of the key buffer while reading the key from key
file.
Fix: If size of key is greater than the maximum size it returns
an error before writing it into the key buffer. Gives error as
corrupt file but no stack overflow.
Diffstat (limited to 'storage/myisam/mi_search.c')
| -rw-r--r-- | storage/myisam/mi_search.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/storage/myisam/mi_search.c b/storage/myisam/mi_search.c index 7526b7c5518..8c656263651 100644 --- a/storage/myisam/mi_search.c +++ b/storage/myisam/mi_search.c @@ -945,9 +945,7 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag, ("Found too long binary packed key: %u of %u at 0x%lx", length, keyinfo->maxlength, (long) *page_pos)); DBUG_DUMP("key", *page_pos, 16); - mi_print_error(keyinfo->share, HA_ERR_CRASHED); - my_errno=HA_ERR_CRASHED; - DBUG_RETURN(0); /* Wrong key */ + goto crashed; /* Wrong key */ } /* Key is packed against prev key, take prefix from prev key. */ from= key; @@ -990,6 +988,8 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag, if (from == from_end) { from=page; from_end=page_end; } length+= (uint) ((*key++ = *from++)); } + if (length > keyseg->length) + goto crashed; } else length=keyseg->length; @@ -1029,15 +1029,18 @@ uint _mi_get_binary_pack_key(register MI_KEYDEF *keyinfo, uint nod_flag, if (from_end != page_end) { DBUG_PRINT("error",("Error when unpacking key")); - mi_print_error(keyinfo->share, HA_ERR_CRASHED); - my_errno=HA_ERR_CRASHED; - DBUG_RETURN(0); /* Error */ + goto crashed; /* Error */ } /* Copy data pointer and, if appropriate, key block pointer. */ memcpy((uchar*) key,(uchar*) from,(size_t) length); *page_pos= from+length; } DBUG_RETURN((uint) (key-start_key)+keyseg->length); + + crashed: + mi_print_error(keyinfo->share, HA_ERR_CRASHED); + my_errno= HA_ERR_CRASHED; + DBUG_RETURN(0); } |