Skip to content

Commit ae34d85

Browse files
midenokmidenok
committed
MDEV-20311 row_ins_step accesses unitialized memory
ins_node_create() does not initialize all members of que_common_t, so zero-init them with mem_heap_zalloc(). Handle out-of-memory correctly. Init insert_node->common.parent to fulfill the contract of thr usage. Free insert_node subtree at row_update_vers_insert() exit.
1 parent 841294c commit ae34d85

File tree

2 files changed

+16
-10
lines changed

2 files changed

+16
-10
lines changed

storage/innobase/row/row0ins.cc

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -74,20 +74,18 @@ ins_node_create(
7474
ins_node_t* node;
7575

7676
node = static_cast<ins_node_t*>(
77-
mem_heap_alloc(heap, sizeof(ins_node_t)));
77+
mem_heap_zalloc(heap, sizeof(ins_node_t)));
78+
79+
if (!node) {
80+
return(NULL);
81+
}
7882

7983
node->common.type = QUE_NODE_INSERT;
8084

8185
node->ins_type = ins_type;
8286

8387
node->state = INS_NODE_SET_IX_LOCK;
8488
node->table = table;
85-
node->index = NULL;
86-
node->entry = NULL;
87-
88-
node->select = NULL;
89-
90-
node->trx_id = 0;
9189

9290
node->entry_sys_heap = mem_heap_create(128);
9391

storage/innobase/row/row0mysql.cc

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2150,7 +2150,9 @@ This is used in UPDATE CASCADE/SET NULL of a system versioning table.
21502150
@return DB_SUCCESS or some error */
21512151
static dberr_t row_update_vers_insert(que_thr_t* thr, upd_node_t* node)
21522152
{
2153-
const trx_t* trx = thr_get_trx(thr);
2153+
trx_t* trx = thr_get_trx(thr);
2154+
dfield_t* row_end;
2155+
char row_end_data[8];
21542156
dict_table_t* table = node->table;
21552157
ut_ad(table->versioned());
21562158

@@ -2161,10 +2163,15 @@ static dberr_t row_update_vers_insert(que_thr_t* thr, upd_node_t* node)
21612163
ins_node_t* insert_node =
21622164
ins_node_create(INS_DIRECT, table, node->historical_heap);
21632165

2166+
if (!insert_node) {
2167+
trx->error_state = DB_OUT_OF_MEMORY;
2168+
goto exit;
2169+
}
2170+
2171+
insert_node->common.parent = thr;
21642172
ins_node_set_new_row(insert_node, row);
21652173

2166-
dfield_t* row_end = dtuple_get_nth_field(row, table->vers_end);
2167-
char row_end_data[8];
2174+
row_end = dtuple_get_nth_field(row, table->vers_end);
21682175
if (dict_table_get_nth_col(table, table->vers_end)->vers_native()) {
21692176
mach_write_to_8(row_end_data, trx->id);
21702177
dfield_set_data(row_end, row_end_data, 8);
@@ -2202,6 +2209,7 @@ static dberr_t row_update_vers_insert(que_thr_t* thr, upd_node_t* node)
22022209
}
22032210
}
22042211
exit:
2212+
que_graph_free_recursive(insert_node);
22052213
mem_heap_free(node->historical_heap);
22062214
node->historical_heap = NULL;
22072215
return trx->error_state;

0 commit comments

Comments
 (0)