From e0f3a0fae98bea144b962ef8dbbe62e0935aebb1 Mon Sep 17 00:00:00 2001
From: Tor Didriksen <tor.didriksen@oracle.com>
Date: Fri, 1 Nov 2013 16:39:19 +0100
Subject: [PATCH] Bug#17617945 BUFFER OVERFLOW IN GET_MERGE_MANY_BUFFS_COST
 WITH SMALL SORT_BUFFER_SIZE

get_cost_calc_buff_size() could return wrong value for the size of imerge_cost_buff.
---
 sql/sql_class.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sql/sql_class.h b/sql/sql_class.h
index 9a9b2058e2..fd83930a8e 100644
--- a/sql/sql_class.h
+++ b/sql/sql_class.h
@@ -2987,11 +2987,13 @@ public:
   bool get(TABLE *table);
   static double get_use_cost(uint *buffer, uint nkeys, uint key_size, 
                              ulonglong max_in_memory_size);
+
+  // Returns the number of bytes needed in imerge_cost_buf.
   inline static int get_cost_calc_buff_size(ulong nkeys, uint key_size, 
                                             ulonglong max_in_memory_size)
   {
     register ulonglong max_elems_in_tree=
-      (1 + max_in_memory_size / ALIGN_SIZE(sizeof(TREE_ELEMENT)+key_size));
+      (max_in_memory_size / ALIGN_SIZE(sizeof(TREE_ELEMENT)+key_size));
     return (int) (sizeof(uint)*(1 + nkeys/max_elems_in_tree));
   }
 
-- 
2.30.9