From 04fd2f18cb9de58d62ec6c860f586b9f81a95300 Mon Sep 17 00:00:00 2001
From: unknown <sanja@montyprogram.com>
Date: Thu, 1 Aug 2013 11:46:11 +0300
Subject: MDEV-4811 Assertion `offset < 0x1f' fails in type_and_offset_store on
 COLUMN_ADD MDEV-4812 Valgrind warnings (Invalid write) in
 dynamic_column_update_many on COLUMN_ADD

Fixed problem of working on wrong data (do not allow offset to out of string length).
---
 mysys/ma_dyncol.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

(limited to 'mysys/ma_dyncol.c')

diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
index 03d9007c7cb..f01d69f0b25 100644
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -1228,13 +1228,14 @@ dynamic_column_create(DYNAMIC_COLUMN *str, uint column_nr,
   @param header_end      Pointer to the header end
   @param offset_size     Size of offset field in bytes
   @param last_offset     Size of the data segment
+  @param error           Set in case of error
 
   @return number of bytes
 */
 
 static size_t get_length_interval(uchar *entry, uchar *entry_next,
                                   uchar *header_end, size_t offset_size,
-                                  size_t last_offset)
+                                  size_t last_offset, my_bool *error)
 {
   size_t offset, offset_next;
   DYNAMIC_COLUMN_TYPE type, type_next;
@@ -1242,8 +1243,12 @@ static size_t get_length_interval(uchar *entry, uchar *entry_next,
 
   type_and_offset_read(&type, &offset, entry, offset_size);
   if (entry_next >= header_end)
+  {
+    *error= 0;
     return (last_offset - offset);
+  }
   type_and_offset_read(&type_next, &offset_next, entry_next, offset_size);
+  *error= (offset_next > last_offset);
   return (offset_next - offset);
 }
 
@@ -1255,17 +1260,18 @@ static size_t get_length_interval(uchar *entry, uchar *entry_next,
   @param header_end      Pointer to the header end
   @param offset_size     Size of offset field in bytes
   @param last_offset     Size of the data segment
+  @param error           Set in case of error
 
   @return number of bytes
 */
 
 static size_t get_length(uchar *entry, uchar *header_end,
                          size_t offset_size,
-                         size_t last_offset)
+                         size_t last_offset, my_bool *error)
 {
   return get_length_interval(entry,
                              entry + offset_size + COLUMN_NUMBER_SIZE,
-                             header_end, offset_size, last_offset);
+                             header_end, offset_size, last_offset, error);
 }
 
 
@@ -1304,6 +1310,7 @@ find_column(DYNAMIC_COLUMN_TYPE *type, uchar **data, size_t *length,
   uchar *entry;
   size_t offset, total_data, header_size, entry_size;
   uchar key[2+4];
+  my_bool error;
 
   if (!entry_pos)
     entry_pos= &entry;
@@ -1329,12 +1336,12 @@ find_column(DYNAMIC_COLUMN_TYPE *type, uchar **data, size_t *length,
     return 1;
   *data= header + header_size + offset;
   *length= get_length(entry, header + header_size, offset_size,
-                      total_data);
+                      total_data, &error);
   /*
     Check that the found data is withing the ranges. This can happen if
     we get data with wrong offsets.
   */
-  if ((long) *length < 0 || offset + *length > total_data)
+  if (error || (long) *length < 0 || offset + *length > total_data)
     return 1;
 
   *entry_pos= entry;
@@ -1837,12 +1844,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
                    entry_size, column_count, &entry))
     {
       size_t entry_data_size;
+      my_bool error;
 
       /* Data existed; We have to replace or delete it */
 
       entry_data_size= get_length(entry, header_end,
-                                  offset_size, max_offset);
-      if ((long) entry_data_size < 0)
+                                  offset_size, max_offset, &error);
+      if (error || (long) entry_data_size < 0)
       {
         rc= ER_DYNCOL_FORMAT;
         goto end;
@@ -2038,12 +2046,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
       /* copy first the data that was not replaced in original packed data */
       if (start < end)
       {
+        my_bool error;
         /* Add old data last in 'tmp' */
         size_t data_size=
           get_length_interval(header_base + start * entry_size,
                               header_base + end * entry_size,
-                              header_end, offset_size, max_offset);
-        if ((long) data_size < 0 ||
+                              header_end, offset_size, max_offset, &error);
+        if (error || (long) data_size < 0 ||
             data_size > max_offset - first_offset)
         {
           dynamic_column_column_free(&tmp);
-- 
cgit v1.2.1


From 9a28e43305bf62e1cef269c395f3ac212c659347 Mon Sep 17 00:00:00 2001
From: unknown <sanja@montyprogram.com>
Date: Tue, 20 Aug 2013 16:23:30 +0300
Subject: new format length calculation check added.

---
 mysys/ma_dyncol.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'mysys/ma_dyncol.c')

diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
index 2ab5f443233..448ad8269fa 100644
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -1941,13 +1941,15 @@ static size_t hdr_interval_length(DYN_HEADER *hdr, uchar *next_entry)
 
   if ((*fmt->type_and_offset_read)(&hdr->type, &hdr->offset,
                                    hdr->entry + fmt->fixed_hdr_entry,
-                                   hdr->offset_size))
+                                   hdr->offset_size) ||
+      hdr->data_size < hdr->offset)
     return DYNCOL_OFFSET_ERROR;
   if (next_entry == hdr->header + hdr->header_size)
     return hdr->data_size - hdr->offset;
   if ((*fmt->type_and_offset_read)(&next_entry_type, &next_entry_offset,
                                    next_entry + fmt->fixed_hdr_entry,
-                                   hdr->offset_size))
+                                   hdr->offset_size) ||
+      hdr->data_size < next_entry_offset)
     return DYNCOL_OFFSET_ERROR;
   return (next_entry_offset - hdr->offset);
 }
-- 
cgit v1.2.1


From 42f56557f59705aeec83a54f02399b04d52e9eea Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Mon, 9 Sep 2013 19:31:29 +0200
Subject: MDEV-4941 make: AIX fails with 'Identifier not allowed in cast';
 syntax error in include/my_global.h

C++ comments in C files, and a typo in my_global.h
---
 mysys/ma_dyncol.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'mysys/ma_dyncol.c')

diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
index 88730f9dc4f..62227ab6834 100644
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -1385,7 +1385,8 @@ static inline my_bool read_fixed_header(DYNAMIC_COLUMN *str,
   @return ER_DYNCOL_* return code
 */
 
-int dynamic_column_get(DYNAMIC_COLUMN *str, uint column_nr,
+enum enum_dyncol_func_result
+dynamic_column_get(DYNAMIC_COLUMN *str, uint column_nr,
                        DYNAMIC_COLUMN_VALUE *store_it_here)
 {
   uchar *data;
@@ -1457,7 +1458,8 @@ err:
   @return ER_DYNCOL_* return code
 */
 
-int dynamic_column_delete(DYNAMIC_COLUMN *str, uint column_nr)
+enum enum_dyncol_func_result
+dynamic_column_delete(DYNAMIC_COLUMN *str, uint column_nr)
 {
   uchar *data, *header_entry, *read, *write;
   size_t offset_size, new_offset_size, length, entry_size, new_entry_size,
@@ -2111,7 +2113,8 @@ create_new_string:
 */
 
 
-int dynamic_column_update(DYNAMIC_COLUMN *str, uint column_nr,
+enum enum_dyncol_func_result
+dynamic_column_update(DYNAMIC_COLUMN *str, uint column_nr,
                           DYNAMIC_COLUMN_VALUE *value)
 {
   return dynamic_column_update_many(str, 1, &column_nr, value);
-- 
cgit v1.2.1