BUG#31360522 : >=5.6.36 SOME RANGE QUERIES STILL CRASH...

karthik-kamath · karthik-kamath · commit c51237cec9f6 · 2025-05-14T08:46:09.000+02:00
DESCRIPTION:
============
Certain range queries on a table with index prefixed
BLOB/TEXT columns could lead to a server exit.

ANALYSIS:
=========
While opening the table based on its table share, in
open_table_from_share(), we create a copy of the key_info
from TABLE_SHARE object to TABLE object. If the key is
prefixed, we allocate a new Field object, having its
field_length set to the prefix key length, and point the
table's matching key_part-&gt;field to this new Field object.
We skip creating the new Field object for prefixed BLOB
columns.

A secondary key is extended by adding primary key parts to
it if the primary key part does not exist in the secondary
key or the key part in the secondary key is a prefix of the
key field (add_pk_parts_to_sk()). The consequence of
skipping the creation of new Field object for prefixed BLOB
columns is that the key parts from the secondary key and
primary key will be pointing to the same Field object.

Later, while performing end-range scan, we check if the key
is within range (compare_key_in_buffer()). We change the
offsets of all the fields in the key range to make the
fields point to the record buffer
(move_key_field_offsets()). In case of BLOBs, we end up
moving the same field twice in move_key_field_offsets().
This leads to accessing out of bound memory while performing
key comparison.

FIX:
====
We allow creating new Field object even for BLOB columns in
open_table_from_share().

When a table with index prefixed BLOB columns is evicted
from Table cache, Field_blob objects are free'd by clearing
the Table's mem_root in closefrm(). However, since
Field_blob::value is allocated on the heap, a specific
cleanup to free the Field_blob objects has been added in
closefrm().

Note:
=====
This issue is not a regression but rather was exposed in
5.6.36 by the patch for Bug#23481444: OPTIMISER CALL
ROW_SEARCH_MVCC() AND READ THE INDEX APPLIED BY UNCOMMITTED
ROWS.

Change-Id: Ie0ecdb801b6cf81783c0cbd9a52d709fd3abdb30
diff --git a/sql/sql_partition.cc b/sql/sql_partition.cc
@@ -834,6 +834,12 @@ static bool handle_list_of_fields(List_iterator<char> it,
       for (i= 0; i < num_key_parts; i++)
       {
         Field *field= table->key_info[primary_key].key_part[i].field;
+        // BLOB/TEXT columns are not allowed in partitioning keys.
+        if (field->flags & BLOB_FLAG)
+        {
+          my_error(ER_BLOB_FIELD_IN_PART_FUNC_ERROR, MYF(0));
+          DBUG_RETURN(TRUE);
+        }
         field->flags|= GET_FIXED_FIELDS_FLAG;
       }
     }
diff --git a/sql/table.cc b/sql/table.cc
@@ -3241,8 +3241,15 @@ int open_table_from_share(THD *thd, TABLE_SHARE *share, const char *alias,
       {
         Field *field= key_part->field= outparam->field[key_part->fieldnr-1];
 
+        /*
+          For spatial indexes, the key parts are assigned the length (4 *
+          sizeof(double)) in mysql_prepare_create_table() and the
+          field->key_length() is set to 0. This makes it appear like a prefixed
+          index. However, prefixed indexes are not allowed on Geometric columns.
+          Hence skipping new field creation for Geometric columns.
+        */
         if (field->key_length() != key_part->length &&
-            !(field->flags & BLOB_FLAG))
+            field->type() != MYSQL_TYPE_GEOMETRY)
         {
           /*
             We are using only a prefix of the column as a key:
@@ -3512,6 +3519,37 @@ int closefrm(TABLE *table, bool free_share)
     error=table->file->ha_close();
   my_free((void *) table->alias);
   table->alias= 0;
+
+  /*
+    Iterate through the Table's Key_info and free its key_part->field if the
+    field is of BLOB type.
+
+    When a prefixed key is present, a new Field object is created in
+    open_table_from_share(). These field objects get destroyed when the Table's
+    mem_root is cleared here later. In case of Field_blob objects,
+    Field_blob::value is allocated on the heap. Thus Field_blob objects are
+    freed here in order to destruct the Field_blob::value object.
+  */
+  KEY *key_info= table->key_info;
+  if (key_info)
+  {
+    KEY_PART_INFO *key_part= key_info->key_part;
+    for (KEY *key_info_end= key_info + table->s->keys; key_info < key_info_end;
+         key_info++)
+    {
+      for (KEY_PART_INFO *key_part_end= key_part + key_info->actual_key_parts;
+           key_part < key_part_end; key_part++)
+      {
+        if (key_part->field && (key_part->field->flags & BLOB_FLAG) &&
+            key_part->field->type() != MYSQL_TYPE_GEOMETRY)
+        {
+          delete key_part->field;
+          key_part->field= 0;
+        }
+      }
+    }
+  }
+
   if (table->field)
   {
     for (Field **ptr=table->field ; *ptr ; ptr++)

Original file line number	Diff line number	Diff line change
`@@ -834,6 +834,12 @@ static bool handle_list_of_fields(List_iterator<char> it,`
`834`	`834`	`for (i= 0; i < num_key_parts; i++)`
`835`	`835`	`{`
`836`	`836`	`Field *field= table->key_info[primary_key].key_part[i].field;`
	`837`	`+ // BLOB/TEXT columns are not allowed in partitioning keys.`
	`838`	`+ if (field->flags & BLOB_FLAG)`
	`839`	`+ {`
	`840`	`+ my_error(ER_BLOB_FIELD_IN_PART_FUNC_ERROR, MYF(0));`
	`841`	`+ DBUG_RETURN(TRUE);`
	`842`	`+ }`
`837`	`843`	`field->flags\|= GET_FIXED_FIELDS_FLAG;`
`838`	`844`	`}`
`839`	`845`	`}`