[MDEV-22824] Buffer overflow in dict_table_t::parse_name() Created: 2020-06-07  Updated: 2020-06-07  Resolved: 2020-06-07

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - InnoDB
Affects Version/s: 10.5.1
Fix Version/s: 10.5.4

Type: Bug Priority: Major
Reporter: Marko Mäkelä Assignee: Marko Mäkelä
Resolution: Fixed Votes: 0
Labels: ASAN, corruption

Issue Links:
Problem/Incident
is caused by MDEV-16678 Use MDL for innodb background threads... Closed

 Description   

The test parts.longname that I extended for MDEV-22817 revealed another error that was introduced in MDEV-16678:

10.5 0e69f601aaafb920a9305c4ab5d380de2b43e917

 
==113772==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8718ff4b21 at pc 0x7f872870157d bp 0x7f8718ff47f0 sp 0x7f8718ff3f98
 
WRITE of size 394 at 0x7f8718ff4b21 thread T15
 
    #0 0x7f872870157c  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
 
    #1 0x558391fc45d0 in bool dict_table_t::parse_name<true>(char (&) [193], char (&) [193], unsigned long*, unsigned long*) const /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:751
 
    #2 0x558391fc49c2 in dict_table_t* dict_acquire_mdl_shared<false>(dict_table_t*, THD*, MDL_ticket**, dict_table_op_t) /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:819
 
    #3 0x558391faff5a in dict_table_open_on_id(unsigned long, bool, dict_table_op_t, THD*, MDL_ticket**) /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:955

The problem is that we are copying the entire table name (with partition and subpartition names) to the buffer, and only then stripping the partition and subpartition components.
Generated at Thu Feb 08 09:17:45 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.