MDEV-15723 Crash in INFORMATION_SCHEMA.INNODB_SYS_TABLES when accessi…

…ng corrupted record dict_load_table_low(): When flagging an error, assign *table = NULL. Failure to do so could cause a crash if an error was flagged when accessing INFORMATION_SCHEMA.INNODB_SYS_TABLES.
MariaDB · Apr 23, 2018 · c7bb337 · c7bb337
1 parent fcaf619
commit c7bb337
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/storage/innobase/dict/dict0load.cc b/storage/innobase/dict/dict0load.cc
@@ -1,6 +1,7 @@
 /*****************************************************************************
 
 Copyright (c) 1996, 2016, Oracle and/or its affiliates. All Rights Reserved.
+Copyright (c) 2018, MariaDB Corporation.
 
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
@@ -2057,17 +2058,20 @@ dict_load_table_low(
 	ulint		flags2;
 
 	if (rec_get_deleted_flag(rec, 0)) {
+		*table = NULL;
 		return("delete-marked record in SYS_TABLES");
 	}
 
 	if (rec_get_n_fields_old(rec) != DICT_NUM_FIELDS__SYS_TABLES) {
+		*table = NULL;
 		return("wrong number of columns in SYS_TABLES record");
 	}
 
 	rec_get_nth_field_offs_old(
 		rec, DICT_FLD__SYS_TABLES__NAME, &len);
 	if (len == 0 || len == UNIV_SQL_NULL) {
 err_len:
+		*table = NULL;
 		return("incorrect column length in SYS_TABLES");
 	}
 	rec_get_nth_field_offs_old(
@@ -2147,6 +2151,7 @@ dict_load_table_low(
 			"InnoDB: in InnoDB data dictionary"
 			" has unknown type %lx.\n",
 			(ulong) flags);
+		*table = NULL;
 		return("incorrect flags in SYS_TABLES");
 	}
 

diff --git a/storage/xtradb/dict/dict0load.cc b/storage/xtradb/dict/dict0load.cc
@@ -1,7 +1,7 @@
 /*****************************************************************************
 
 Copyright (c) 1996, 2016, Oracle and/or its affiliates. All Rights Reserved.
-Copyright (c) 2017, MariaDB Corporation.
+Copyright (c) 2017, 2018, MariaDB Corporation.
 
 This program is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
@@ -2059,17 +2059,20 @@ dict_load_table_low(
 	ulint		flags2;
 
 	if (rec_get_deleted_flag(rec, 0)) {
+		*table = NULL;
 		return("delete-marked record in SYS_TABLES");
 	}
 
 	if (rec_get_n_fields_old(rec) != DICT_NUM_FIELDS__SYS_TABLES) {
+		*table = NULL;
 		return("wrong number of columns in SYS_TABLES record");
 	}
 
 	rec_get_nth_field_offs_old(
 		rec, DICT_FLD__SYS_TABLES__NAME, &len);
 	if (len == 0 || len == UNIV_SQL_NULL) {
 err_len:
+		*table = NULL;
 		return("incorrect column length in SYS_TABLES");
 	}
 	rec_get_nth_field_offs_old(
@@ -2149,6 +2152,7 @@ dict_load_table_low(
 			"InnoDB: in InnoDB data dictionary"
 			" has unknown type %lx.\n",
 			(ulong) flags);
+		*table = NULL;
 		return("incorrect flags in SYS_TABLES");
 	}