BUG#11392 - fulltext search bug
Fulltext boolean mode phrase search may crash server on platforms where size of pointer is not equal to size of unsigned integer (in other words some 64-bit platforms). The problem was integer overflow. Affects 4.1 only. myisam/ft_boolean_search.c: my_match_t::beg is unsigned int, that means type of expression (m[0].beg - 1) has unsigned type too. It may happen that instr() finds substring in the beggining of passed string, returning m[0].beg equal to 0. In this case value of expression (m[0].beg - 1) is equal to MAX_UINT. This is not a problem on platforms where sizeof(pointer) equals to sizeof(uint). That means ptr[(uint)-1] = ptr[(uint)MAX_UINT] = ptr - 1. On some 64-bit platforms where sizeof(pointer) is 8 and sizeof(uint) is 4, wrong address gets accessed. In other words ptr[(uint)-1] is equal to ptr + MAX_UINT. mysql-test/r/fulltext.result: A test case for BUG#11392. mysql-test/t/fulltext.test: A test case for BUG#11392.
Showing
Please register or sign in to comment