Commit cff23162 authored by Alexander Barkov's avatar Alexander Barkov

Bug#49134 5.1 server segfaults with 2byte collation file

Problem: add_collation did not check that cs->number is smaller
than the number of elements in the array all_charsets[],
so server could crash when loading an Index.xml file with
a collation ID greater the number of elements 
(for example when downgrading from 5.5).

Fix: adding a condition to check that cs->number is not out of valid range.
parent 4578a5c6
...@@ -8,6 +8,13 @@ ...@@ -8,6 +8,13 @@
</rules> </rules>
</collation> </collation>
<collation name="utf8_hugeid_ci" id="2047000000">
<rules>
<reset>a</reset>
<s>b</s>
</rules>
</collation>
</charset> </charset>
<charset name="ucs2"> <charset name="ucs2">
......
...@@ -220,7 +220,8 @@ copy_uca_collation(CHARSET_INFO *to, CHARSET_INFO *from) ...@@ -220,7 +220,8 @@ copy_uca_collation(CHARSET_INFO *to, CHARSET_INFO *from)
static int add_collation(CHARSET_INFO *cs) static int add_collation(CHARSET_INFO *cs)
{ {
if (cs->name && (cs->number || if (cs->name && (cs->number ||
(cs->number=get_collation_number_internal(cs->name)))) (cs->number=get_collation_number_internal(cs->name))) &&
cs->number < array_elements(all_charsets))
{ {
if (!all_charsets[cs->number]) if (!all_charsets[cs->number])
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment