List:Commits« Previous MessageNext Message »
From:Sergey Vojtovich Date:October 13 2006 12:10pm
Subject:bk commit into 4.1 tree (svoj:1.2530) BUG#22053
View as plain text  
Below is the list of changes that have just been committed into a local
4.1 repository of svoj. When svoj does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2006-10-13 15:10:14+05:00, svoj@stripped +1 -0
  BUG#22053 - REPAIR table can crash server for some
              really damaged MyISAM tables
  
  When unpacking a blob column from broken row server crash
  could happen. This could rather happen when trying to repair
  a table using either REPAIR TABLE or myisamchk, though it
  also could happend when trying to access broken row using
  other SQL statements like SELECT if table is not marked as
  crashed.
  
  Fixed ulong overflow when trying to extract blob from
  broken row.
  
  Affects MyISAM only.
  
  No test case, since it needs broken myisam table.

  myisam/mi_dynrec.c@stripped, 2006-10-13 15:10:10+05:00, svoj@stripped +5 -3
    Fixed ulong overflow when trying to extract blob from
    broken row. It happens when there are not enough bytes
    to store blob length in `from' buffer. In this case
    (ulong) (from_end - from) - size_length value is huge,
    close to ULONG_MAX.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	svoj
# Host:	may.pils.ru
# Root:	/home/svoj/devel/mysql/BUG22053/mysql-4.1-engines

--- 1.40/myisam/mi_dynrec.c	2006-10-13 15:10:20 +05:00
+++ 1.41/myisam/mi_dynrec.c	2006-10-13 15:10:20 +05:00
@@ -992,9 +992,11 @@
       {
 	uint size_length=rec_length- mi_portable_sizeof_char_ptr;
 	ulong blob_length=_mi_calc_blob_length(size_length,from);
-	if ((ulong) (from_end-from) - size_length < blob_length ||
-	    min_pack_length > (uint) (from_end -(from+size_length+blob_length)))
-	  goto err;
+        ulong from_left= (ulong) (from_end - from);
+        if (from_left < size_length ||
+            from_left - size_length < blob_length ||
+            from_left - size_length - blob_length < min_pack_length)
+          goto err;
 	memcpy((byte*) to,(byte*) from,(size_t) size_length);
 	from+=size_length;
 	memcpy_fixed((byte*) to+size_length,(byte*) &from,sizeof(char*));
Thread
bk commit into 4.1 tree (svoj:1.2530) BUG#22053Sergey Vojtovich13 Oct