MDEV-22818 Server crash on corrupted ROW_FORMAT=COMPRESSED page

page_zip_fields_decode(): Do not dereference index=NULL. Instead, return NULL early. The only caller does not care about the values of output parameters in that case. This bug was introduced in MySQL 5.7.6 by mysql/mysql-server@9eae0ed and in MariaDB 10.2.2 by commit 2e814d4. Thanks to my son for pointing this out after investigating the output of a static analysis tool.
MariaDB · Jun 6, 2020 · 1bd5b75 · 1bd5b75
1 parent 7a695d8
commit 1bd5b75
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/storage/innobase/page/page0zip.cc b/storage/innobase/page/page0zip.cc
@@ -1756,8 +1756,9 @@ page_zip_fields_decode(
 		if (!val) {
 			val = ULINT_UNDEFINED;
 		} else if (UNIV_UNLIKELY(val >= n)) {
+fail:
 			page_zip_fields_free(index);
-			index = NULL;
+			return NULL;
 		} else {
 			index->type = DICT_CLUSTERED;
 		}
@@ -1766,8 +1767,7 @@ page_zip_fields_decode(
 	} else {
 		/* Decode the number of nullable fields. */
 		if (UNIV_UNLIKELY(index->n_nullable > val)) {
-			page_zip_fields_free(index);
-			index = NULL;
+			goto fail;
 		} else {
 			index->n_nullable = unsigned(val);
 		}