Skip to content

Commit 82ab92b

Browse files
vaintroubvaintroub
committed
MDEV-10951 Field_newdate::cmp access violation
The crash is caused by macro uint3korr() accessing memory (1 byte) past the end of allocated page. The macro is written such it reads 4 bytes instead of 3 and discards the value of the last byte. However, it is not always guaranteed that all uint3korr accesses will be valid (i.e that the caller allocates an extra byte after the value). In particular, the tree in Item_func_group_concat does not account for any extra bytes that it would need for comparison of keys in some cases (Field_newdate::cmp, Field_medium::cmp) The fix change uint3korr so it does not access extra bytes.
1 parent ed3998a commit 82ab92b

File tree

2 files changed

+0
-18
lines changed

2 files changed

+0
-18
lines changed

include/byte_order_generic_x86.h

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -27,19 +27,9 @@
2727
((uint32) (uchar) (A)[0])))
2828
#define sint4korr(A) (*((const long *) (A)))
2929
#define uint2korr(A) (*((const uint16 *) (A)))
30-
31-
/*
32-
Attention: Please, note, uint3korr reads 4 bytes (not 3)!
33-
It means, that you have to provide enough allocated space.
34-
*/
35-
#if defined(HAVE_valgrind) && !defined(_WIN32)
3630
#define uint3korr(A) (uint32) (((uint32) ((uchar) (A)[0])) +\
3731
(((uint32) ((uchar) (A)[1])) << 8) +\
3832
(((uint32) ((uchar) (A)[2])) << 16))
39-
#else
40-
#define uint3korr(A) (long) (*((const unsigned int *) (A)) & 0xFFFFFF)
41-
#endif
42-
4333
#define uint4korr(A) (*((const uint32 *) (A)))
4434
#define uint5korr(A) ((ulonglong)(((uint32) ((uchar) (A)[0])) +\
4535
(((uint32) ((uchar) (A)[1])) << 8) +\

include/byte_order_generic_x86_64.h

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -27,17 +27,9 @@
2727
((uint32) (uchar) (A)[0])))
2828
#define sint4korr(A) (int32) (*((int32 *) (A)))
2929
#define uint2korr(A) (uint16) (*((uint16 *) (A)))
30-
/*
31-
Attention: Please, note, uint3korr reads 4 bytes (not 3)!
32-
It means, that you have to provide enough allocated space.
33-
*/
34-
#if defined(HAVE_valgrind) && !defined(_WIN32)
3530
#define uint3korr(A) (uint32) (((uint32) ((uchar) (A)[0])) +\
3631
(((uint32) ((uchar) (A)[1])) << 8) +\
3732
(((uint32) ((uchar) (A)[2])) << 16))
38-
#else
39-
#define uint3korr(A) (uint32) (*((unsigned int *) (A)) & 0xFFFFFF)
40-
#endif
4133
#define uint4korr(A) (uint32) (*((uint32 *) (A)))
4234
#define uint5korr(A) ((ulonglong)(((uint32) ((uchar) (A)[0])) +\
4335
(((uint32) ((uchar) (A)[1])) << 8) +\

0 commit comments

Comments
 (0)