[#MDEV-15834] The code in TABLE_SHARE::init_from_binary_frm

[MDEV-15834] The code in TABLE_SHARE::init_from_binary_frm_image() is not safe Created: 2018-04-10 Updated: 2018-06-26 Resolved: 2018-06-19
Status:	Closed
Project:	MariaDB Server
Component/s:	Virtual Columns
Affects Version/s:	5.5, 10.0, 10.1, 10.2, 10.3
Fix Version/s:	5.5.61, 10.0.36, 10.1.35, 10.2.16, 10.3.8, 10.4.0

Type:

Bug

Priority:

Major

Reporter:

Alexander Barkov

Assignee:

Alexander Barkov

Resolution:

Fixed

Votes:

Labels:

None

Attachments:

t1.frm

Issue Links:

Blocks
blocks	~~MDEV-4912~~	Data type plugin API version 1	Closed
Relates
relates to	~~MDEV-16518~~	MYSQL57_GENERATED_FIELD: The code in ...	Closed

Description

The code in TABLE_SHARE::init_from_binary_frm_image() is not safe for broken FRM files.

In debug mode it can crash on assert.
In release mode its behavior is not predictable.

interval_nr=  (uint) strpos[12];

...

DBUG_ASSERT(interval_nr); // Expect non-null expression

...

vcol_info_length= interval_nr;

vcol_expr_length= vcol_info_length -

                          (uint)(FRM_VCOL_OLD_HEADER_SIZE(opt_interval_id));

...

The same problem presents in the branch for MYSQL57_GENERATED_FIELD (since 10.2), it's reported as a separate issue ~~MDEV-16518~~.

Comments

Comment by Alexander Barkov [ 2018-06-19 ]

To reproduce the problem, put the attached f1.frm into the MariaDB data directory and run:

TRUNCATE TABLE t1;

It crashes with the following output:

mysqld: /home/bar/maria-git/server.5.5/sql/table.cc:1465: int open_binary_frm(THD*, TABLE_SHARE*, uchar*, File): Assertion `interval_nr' failed.

Program received signal SIGABRT, Aborted.

[Switching to Thread 0x7ffff7f81700 (LWP 8869)]

0x00007ffff670ba28 in __GI_raise (sig=sig@entry=6)

    at ../sysdeps/unix/sysv/linux/raise.c:55

55	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);

Generated at Thu Feb 08 08:24:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.