• unknown's avatar
    Fix bug lp:993745 · a61456e7
    unknown authored
    This is a backport of the fix for MySQL bug #13723054 in 5.6.
    
    Original comment:
          The crash is caused by arbitrary memory area owerwriting in case of
          BLOB fields during attempt to copy BLOB field key image into record
          buffer(record buffer is too small to get BLOB key part image).
          note:
          QUICK_GROUP_MIN_MAX_SELECT can not work with BLOB fields
          because it uses record buffer as temporary buffer for key values
          however this case is filtered out by covering_keys() check
          in get_best_group_min_max() as BLOBs always require key length
          modificator in the key declaration and if the key has a BLOB
          then it can not be covered key.
          The fix is to use 'max_used_key_length' key length instead of 0.
    
    Analysis:
    Spcifically the crash in this bug was a result of the call to key_copy()
    that copied the whole key, inlcuding the BLOB field which is not used
    for index access. Copying the blob field overwrote memory as far as the
    function parameter 'key_info'. As a result the contents of key_info was
    all 0, which resulted in a crash when this key_info was accessed few
    lines below in key_cmp().
    a61456e7
func_group_innodb.test 2.78 KB