Commit 39dc4616 authored by Marko Mäkelä's avatar Marko Mäkelä

MDEV-22751 Uninitialized tbl_len in dict_acquire_mdl_shared()

A crash was observed where dict_acquire_mdl_shared<trylock=false>
would invoke memcpy() with an apparently uninitialized tbl_len.

dict_table_t::parse_name(): Remove an unnecessary tbl_len--
operation. (This should be mostly non-functional cleanup.)

dict_acquire_mdl_shared(): If the second dict_table_t::parse_name()
returns false, terminate the loop just like we would do on the
first invocation.
parent 58f3f692
......@@ -749,7 +749,6 @@ bool dict_table_t::parse_name(char (&db_name)[NAME_LEN + 1],
size_t tbl_len= strlen(name.m_name + db_len);
memcpy(tbl_buf, name.m_name + db_len + 1, tbl_len);
tbl_len--;
if (!dict_locked)
mutex_exit(&dict_sys.mutex);
......@@ -883,7 +882,17 @@ dict_acquire_mdl_shared(dict_table_t *table,
size_t db1_len, tbl1_len;
table->parse_name<!trylock>(db_buf1, tbl_buf1, &db1_len, &tbl1_len);
if (!table->parse_name<!trylock>(db_buf1, tbl_buf1, &db1_len, &tbl1_len))
{
/* The table was renamed to #sql prefix.
Release MDL (if any) for the old name and return. */
if (*mdl)
{
mdl_context->release_lock(*mdl);
*mdl= nullptr;
}
return table;
}
if (*mdl)
{
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment