← Back to team overview

maria-developers team mailing list archive

Re: MDEV-10020 InnoDB NOT IN Query Crash When One Item Is NULL


Hi, Alexander!

On Jun 20, Alexander Barkov wrote:
> Hi Sergei,
> Please review a patch for mdev-10020.
> The problem was that the loop in get_func_mm_tree()
> accessed an improperly initialized instance of String,
> which is a bzero'ed part of the in_vector::base array.

Could you, please, show complete commits in the future?
Like, commit first, then put the output of "git show" in the email.
Or fix the post-commit email trigger to work.

In this particular case I would've liked to see how much of your fine
explanation will go into commit comment.

> Strings in in_vector::base are initialized
> in Item_func_in::fix_length_and_dec():
> in in_vector::in_vector() using sql_calloc,
> rather than a String constructor, so its str_charset member
> of this String is NULL.
> Strings in in_vector::base are later initialized in
> Item_func_in::fix_length_and_dec(), using array->set(),
> in this code:
> NULLs are not taken into account, so array->used_count can
> be smaller than array->count.
> This patch fixes the loop in opt_range.cc, in get_func_mm_tree(),
> to access only properly initialized elements in in_vector::base,
> preventing access to its bzero'ed non-initialized tail.

ok to push!

> diff --git a/sql/opt_range.cc b/sql/opt_range.cc
> index f051ed0..ae5899d 100644
> --- a/sql/opt_range.cc
> +++ b/sql/opt_range.cc
> @@ -7730,7 +7730,7 @@ static SEL_TREE *get_func_mm_tree(RANGE_OPT_PARAM *param, Item_func *cond_func,
>            break;
>          }
>          SEL_TREE *tree2;
> -        for (; i < func->array->count; i++)
> +        for (; i < func->array->used_count; i++)
>          {
>            if (func->array->compare_elems(i, i-1))
>            {

Chief Architect MariaDB
and security@xxxxxxxxxxx