Commit c0470caf authored by Marko Mäkelä's avatar Marko Mäkelä

MDEV-29471 Buffer overflow in page_cur_insert_rec_low()

In commit 244fdc43 (MDEV-29438)
we made sure that if the preceding record is the page infimum record,
no more than 8 bytes will be read from it. But, if the data payload of
the being-inserted record is less than 8 bytes (this can happen in
secondary indexes), we must not compare all 8 bytes.

This was caught by a failure of the test gcol.innodb_virtual_basic
under MemorySanitizer and some builds with AddressSanitizer.
parent ba987a46
...@@ -1573,7 +1573,9 @@ page_cur_insert_rec_low( ...@@ -1573,7 +1573,9 @@ page_cur_insert_rec_low(
{ {
const byte *r= rec; const byte *r= rec;
const byte *c= cur->rec; const byte *c= cur->rec;
const byte *c_end= c + (page_rec_is_infimum(c) ? 8 : data_size); const byte *c_end= c + data_size;
if (page_rec_is_infimum(c) && data_size > 8)
c_end= c + 8;
static_assert(REC_N_OLD_EXTRA_BYTES == REC_N_NEW_EXTRA_BYTES + 1, ""); static_assert(REC_N_OLD_EXTRA_BYTES == REC_N_NEW_EXTRA_BYTES + 1, "");
if (c <= insert_buf && c_end > insert_buf) if (c <= insert_buf && c_end > insert_buf)
c_end= insert_buf; c_end= insert_buf;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment