[MDEV-16518] MYSQL57_GENERATED_FIELD: The code in TABLE_SHARE::init_from_binary_frm_image() is not safe Created: 2018-06-19  Updated: 2019-04-26  Resolved: 2019-04-26

Status: Closed
Project: MariaDB Server
Component/s: Virtual Columns
Affects Version/s: 10.2, 10.3, 10.4
Fix Version/s: 10.2.24, 10.3.15, 10.4.5

Type: Bug Priority: Major
Reporter: Alexander Barkov Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: None

Attachments: File mdev16518.frm    
Issue Links:
Relates
relates to MDEV-15834 The code in TABLE_SHARE::init_from_bi... Closed

 Description   

This problem is similar to MDEV-15834, but for a 10.2 specific code in the code branch for MYSQL57_GENERATED_FIELD:

vcol_info_length= uint2korr(vcol_screen_pos + 1);
 
...
 
DBUG_ASSERT(vcol_info_length);
 
...
 
vcol_screen_pos+= vcol_info_length + MYSQL57_GCOL_HEADER_SIZE;

In case of a broke FRM file, this can crash in the debug build or behave unpredictably in a release build.

 Comments   
Comment by Alexander Barkov [ 2019-04-26 ]

If I put the attached mdev16518.frm into mysql-test/std_data/frm, then this mtr test crashes on the mentioned DBUG_ASSERT:

--copy_file std_data/frm/mdev16518.frm $MYSQLD_DATADIR/test/t1.frm
 
SHOW TABLES;
 
--replace_result $MYSQLD_DATADIR ./
 
SHOW CREATE TABLE t1;

Generated at Thu Feb 08 08:29:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.