BUG#47598 - MyISAM may write uninitialized data to disk

When MyISAM writes newly created index page it may be
initialized partially. In other words some bytes of
sensible data and uninitialized tail of the page may
go into index file.

Under certain rare circumstances these hunks of memory
may contain data that would be otherwise inaccessible
to user, like passwords or data from other tables.

Fixed by initializing memory for temporary MyISAM key
buffer to '\0'.

No test case for this fix as it is heavily covered by
existing tests.

1 files changed, 1 insertions, 9 deletions

diff --git a/storage/myisam/rt_index.c b/storage/myisam/rt_index.c
index 31241a83228..410badd3145 100644
--- a/storage/myisam/rt_index.c
+++ b/storage/myisam/rt_index.c
@@ -641,18 +641,12 @@ static int rtree_insert_level(MI_INFO *info, uint keynr, uchar *key,
     }
     case 1: /* root was split, grow a new root */
     { 
-      uchar *new_root_buf;
+      uchar *new_root_buf= info->buff + info->s->base.max_key_block_length;
       my_off_t new_root;
       uchar *new_key;
       uint nod_flag = info->s->base.key_reflength;
 
       DBUG_PRINT("rtree", ("root was split, grow a new root"));
-      if (!(new_root_buf = (uchar*)my_alloca((uint)keyinfo->block_length + 
-                                             MI_MAX_KEY_BUFF)))
-      {
-        my_errno = HA_ERR_OUT_OF_MEM;
-        DBUG_RETURN(-1); /* purecov: inspected */
-      }
 
       mi_putint(new_root_buf, 2, nod_flag);
       if ((new_root = _mi_new(info, keyinfo, DFLT_INIT_HITS)) ==
@@ -680,10 +674,8 @@ static int rtree_insert_level(MI_INFO *info, uint keynr, uchar *key,
       DBUG_PRINT("rtree", ("new root page: %lu  level: %d  nod_flag: %u",
                            (ulong) new_root, 0, mi_test_if_nod(new_root_buf)));
 
-      my_afree((uchar*)new_root_buf);
       break;
 err1:
-      my_afree((uchar*)new_root_buf);
       DBUG_RETURN(-1); /* purecov: inspected */
     }
     default: