From c7bb33724826dab53831b74bc0cf7ec311eb13f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20M=C3=A4kel=C3=A4?= Date: Mon, 23 Apr 2018 16:19:50 +0300 Subject: MDEV-15723 Crash in INFORMATION_SCHEMA.INNODB_SYS_TABLES when accessing corrupted record dict_load_table_low(): When flagging an error, assign *table = NULL. Failure to do so could cause a crash if an error was flagged when accessing INFORMATION_SCHEMA.INNODB_SYS_TABLES. --- storage/innobase/dict/dict0load.cc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'storage/innobase/dict/dict0load.cc') diff --git a/storage/innobase/dict/dict0load.cc b/storage/innobase/dict/dict0load.cc index 77a31e5de63..4fec7ae4df3 100644 --- a/storage/innobase/dict/dict0load.cc +++ b/storage/innobase/dict/dict0load.cc @@ -1,6 +1,7 @@ /***************************************************************************** Copyright (c) 1996, 2016, Oracle and/or its affiliates. All Rights Reserved. +Copyright (c) 2018, MariaDB Corporation. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software @@ -2057,10 +2058,12 @@ dict_load_table_low( ulint flags2; if (rec_get_deleted_flag(rec, 0)) { + *table = NULL; return("delete-marked record in SYS_TABLES"); } if (rec_get_n_fields_old(rec) != DICT_NUM_FIELDS__SYS_TABLES) { + *table = NULL; return("wrong number of columns in SYS_TABLES record"); } @@ -2068,6 +2071,7 @@ dict_load_table_low( rec, DICT_FLD__SYS_TABLES__NAME, &len); if (len == 0 || len == UNIV_SQL_NULL) { err_len: + *table = NULL; return("incorrect column length in SYS_TABLES"); } rec_get_nth_field_offs_old( @@ -2147,6 +2151,7 @@ err_len: "InnoDB: in InnoDB data dictionary" " has unknown type %lx.\n", (ulong) flags); + *table = NULL; return("incorrect flags in SYS_TABLES"); } -- cgit v1.2.1