[MDEV-40200] bound shift width in dyncol integer readers - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6
Fix Version/s: 10.6
Component/s: Dynamic Columns
Labels:
- contribution

Bug Category:
Can result in unexpected behaviour

Description

Noticed the dyncol integer readers shift by an exponent taken from the value length.

In dynamic_column_uint_read() the i*8 shift reaches 64 once a COLUMN_GET() blob gives an integer column more than 8 data bytes, and dynamic_column_var_uint_get() keeps shifting length*7 over a run of 0x80 continuation bytes (the charset id of a string value, intg/frac of a decimal). Both are undefined and abort under -fsanitize=shift. Reject the over-long integer and cap the varint at 10 groups.

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Georgi Kodinov

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10 hours ago

Updated:: 10 hours ago

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.