Commit 0f4f1f69 authored by unknown's avatar unknown

BUG#22053 - REPAIR table can crash server for some

            really damaged MyISAM tables

When unpacking a blob column from broken row server crash
could happen. This could rather happen when trying to repair
a table using either REPAIR TABLE or myisamchk, though it
also could happend when trying to access broken row using
other SQL statements like SELECT if table is not marked as
crashed.

Fixed ulong overflow when trying to extract blob from
broken row.

Affects MyISAM only.


myisam/mi_dynrec.c:
  Fixed ulong overflow when trying to extract blob from
  broken row. It happens when there are not enough bytes
  to store blob length in `from' buffer. In this case
  (ulong) (from_end - from) - size_length value is huge,
  close to ULONG_MAX.
parent 2576c4c0
...@@ -992,8 +992,10 @@ ulong _mi_rec_unpack(register MI_INFO *info, register byte *to, byte *from, ...@@ -992,8 +992,10 @@ ulong _mi_rec_unpack(register MI_INFO *info, register byte *to, byte *from,
{ {
uint size_length=rec_length- mi_portable_sizeof_char_ptr; uint size_length=rec_length- mi_portable_sizeof_char_ptr;
ulong blob_length=_mi_calc_blob_length(size_length,from); ulong blob_length=_mi_calc_blob_length(size_length,from);
if ((ulong) (from_end-from) - size_length < blob_length || ulong from_left= (ulong) (from_end - from);
min_pack_length > (uint) (from_end -(from+size_length+blob_length))) if (from_left < size_length ||
from_left - size_length < blob_length ||
from_left - size_length - blob_length < min_pack_length)
goto err; goto err;
memcpy((byte*) to,(byte*) from,(size_t) size_length); memcpy((byte*) to,(byte*) from,(size_t) size_length);
from+=size_length; from+=size_length;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment