[Commits] fcef460: MDEV-10951 Field_newdate::cmp access violation

wlad at mariadb.com wlad at mariadb.com
Tue Oct 4 19:40:09 EEST 2016


revision-id: fcef460ef0b10300c3b3bdc11260a9fa71f181ca (mariadb-10.0.27-4-gfcef460)
parent(s): a3f11f75499ffc867aefe24c80a9c57fbdfb8ac2
author: Vladislav Vaintroub
committer: Vladislav Vaintroub
timestamp: 2016-10-04 18:39:40 +0200
message:

MDEV-10951 Field_newdate::cmp access violation

The crash is caused by macro uint3korr() accessing memory (1 byte) past
the end of allocated page. The macro is written such it reads 4 bytes
instead of 3 and discards the value of the last byte.

However, it is not always guaranteed that all uint3korr accesses will be
valid (i.e that the caller allocates an extra byte after the value).

In particular, the tree in Item_func_group_concat does not account for
any extra bytes that it would need for comparison of keys in some cases
(Field_newdate::cmp, Field_medium::cmp)

The fix change uint3korr so it does not access extra bytes.

---
 include/byte_order_generic_x86.h    | 8 --------
 include/byte_order_generic_x86_64.h | 8 --------
 2 files changed, 16 deletions(-)

diff --git a/include/byte_order_generic_x86.h b/include/byte_order_generic_x86.h
index 0a71a17..b6db748 100644
--- a/include/byte_order_generic_x86.h
+++ b/include/byte_order_generic_x86.h
@@ -28,17 +28,9 @@
 #define sint4korr(A)	(*((const long *) (A)))
 #define uint2korr(A)	(*((const uint16 *) (A)))
 
-/*
-  Attention: Please, note, uint3korr reads 4 bytes (not 3)!
-  It means, that you have to provide enough allocated space.
-*/
-#if defined(HAVE_valgrind) && !defined(_WIN32)
 #define uint3korr(A)	(uint32) (((uint32) ((uchar) (A)[0])) +\
 				  (((uint32) ((uchar) (A)[1])) << 8) +\
 				  (((uint32) ((uchar) (A)[2])) << 16))
-#else
-#define uint3korr(A)	(long) (*((const unsigned int *) (A)) & 0xFFFFFF)
-#endif
 
 #define uint4korr(A)	(*((const uint32 *) (A)))
 #define uint5korr(A)	((ulonglong)(((uint32) ((uchar) (A)[0])) +\
diff --git a/include/byte_order_generic_x86_64.h b/include/byte_order_generic_x86_64.h
index b6b0c5d..8c74939 100644
--- a/include/byte_order_generic_x86_64.h
+++ b/include/byte_order_generic_x86_64.h
@@ -27,17 +27,9 @@
 				  ((uint32) (uchar) (A)[0])))
 #define sint4korr(A)	(int32)  (*((int32 *) (A)))
 #define uint2korr(A)	(uint16) (*((uint16 *) (A)))
-/*
-  Attention: Please, note, uint3korr reads 4 bytes (not 3)!
-  It means, that you have to provide enough allocated space.
-*/
-#if defined(HAVE_valgrind) && !defined(_WIN32)
 #define uint3korr(A)	(uint32) (((uint32) ((uchar) (A)[0])) +\
 				  (((uint32) ((uchar) (A)[1])) << 8) +\
 				  (((uint32) ((uchar) (A)[2])) << 16))
-#else
-#define uint3korr(A)	(uint32) (*((unsigned int *) (A)) & 0xFFFFFF)
-#endif
 #define uint4korr(A)	(uint32) (*((uint32 *) (A)))
 #define uint5korr(A)	((ulonglong)(((uint32) ((uchar) (A)[0])) +\
 				    (((uint32) ((uchar) (A)[1])) << 8) +\


More information about the commits mailing list