MDEV-22337 Assertion `Alloced_length >= (str_length + length +...

Fix pointer calculations in the Session_tracker::store. Most of the fix for this bug goes to the 10.5, but this part should be also fixed earlier.
MariaDB · Apr 29, 2020 · 4af4284 · 4af4284
1 parent dd5c307
commit 4af4284
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/sql/session_tracker.cc b/sql/session_tracker.cc
@@ -1693,7 +1693,7 @@ void Session_tracker::store(THD *thd, String *buf)
   }
 
   size_t length= buf->length() - start;
-  uchar *data= (uchar *)(buf->ptr() + start);
+  uchar *data;
   uint size;
 
   if ((size= net_length_size(length)) != 1)
@@ -1703,8 +1703,16 @@ void Session_tracker::store(THD *thd, String *buf)
       buf->length(start); // it is safer to have 0-length block in case of error
       return;
     }
+
+    /*
+      The 'buf->reserve()' can change the buf->ptr() so we cannot
+      calculate the 'data' earlier.
+    */
+    data= (uchar *)(buf->ptr() + start);
     memmove(data + (size - 1), data, length);
   }
+  else
+    data= (uchar *)(buf->ptr() + start);
 
   net_store_length(data - 1, length);
 }