Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15834

The code in TABLE_SHARE::init_from_binary_frm_image() is not safe

Details

    Description

      The code in TABLE_SHARE::init_from_binary_frm_image() is not safe for broken FRM files.

      In debug mode it can crash on assert.
      In release mode its behavior is not predictable.

      interval_nr=  (uint) strpos[12];
      		 
      ...
      		 
      DBUG_ASSERT(interval_nr); // Expect non-null expression
      		 
      ...
      		 
      vcol_info_length= interval_nr;
      		 
      vcol_expr_length= vcol_info_length -
      		 
                                (uint)(FRM_VCOL_OLD_HEADER_SIZE(opt_interval_id));
      		 
      ...

      The same problem presents in the branch for MYSQL57_GENERATED_FIELD (since 10.2), it's reported as a separate issue MDEV-16518.

      Attachments

        Issue Links

          blocks

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. MDEV-4912 Data type plugin API version 1

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-16518 MYSQL57_GENERATED_FIELD: The code in TABLE_SHARE::init_from_binary_frm_image() is not safe

          • Major - Major loss of function.
          • Closed

          Activity

            bar Alexander Barkov added a comment -

            To reproduce the problem, put the attached f1.frm into the MariaDB data directory and run:

            TRUNCATE TABLE t1;

            It crashes with the following output:

            mysqld: /home/bar/maria-git/server.5.5/sql/table.cc:1465: int open_binary_frm(THD*, TABLE_SHARE*, uchar*, File): Assertion `interval_nr' failed.
            		 
             
            		 
            Program received signal SIGABRT, Aborted.
            		 
            [Switching to Thread 0x7ffff7f81700 (LWP 8869)]
            		 
            0x00007ffff670ba28 in __GI_raise (sig=sig@entry=6)
            		 
                at ../sysdeps/unix/sysv/linux/raise.c:55
            		 
            55	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);

            bar Alexander Barkov added a comment - To reproduce the problem, put the attached f1.frm into the MariaDB data directory and run: TRUNCATE TABLE t1; It crashes with the following output: mysqld: /home/bar/maria-git/server.5.5/sql/table.cc:1465: int open_binary_frm(THD*, TABLE_SHARE*, uchar*, File): Assertion `interval_nr' failed.   Program received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff7f81700 (LWP 8869)] 0x00007ffff670ba28 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);

            People

              bar Alexander Barkov
              bar Alexander Barkov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.