Bug #39645 Losing size info for VARCHAR/CHAR for disk-data could segfault API apps
Submitted: 25 Sep 2008 9:08 Modified: 12 Nov 2008 13:05
Reporter: Geert Vanderkelen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: Disk Data Severity:S3 (Non-critical)
Version:mysql-5.1.28-ndb-6.3.18 OS:Any
Assigned to: Frazer Clement CPU Architecture:Any

[25 Sep 2008 9:08] Geert Vanderkelen 
Description:
In the following method:

NdbOperation::setValue( const NdbColumnImpl* tAttrInfo,
      const char* aValuePassed)
{
..
  if (((UintPtr)aValue & 3) != 0 || (slack != 0)){
    memcpy(&tempData[0], aValue, attributeSize);
    aValue = (char*)&tempData[0];
    if(slack != 0) {
      char * tmp = (char*)&tempData[0];
      memset(&tmp[attributeSize], 0, (4 - slack));
    }//if
  }//if
..

The memcpy-call, if the length of aValue is less than attributeSize, it might segfault.

How to repeat:
(no case yet)
[30 Sep 2008 12:54] Jonas Oreland 
does not affect mysqld
[11 Nov 2008 11:41] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58442

2733 Frazer Clement	2008-11-11
      Bug# 39645 Losing size info for VARCHAR/CHAR for disk-data could segfault API apps
      
      VAR* types are stored fixed-size on disk.  This var->fixed mapping occurs 
      at the NDBAPI level, and some evidence of it can leak out to NDBAPI applications.
      
      This patch modifies the implementation of a number of NDBAPI methods so that
      disk-based VAR* types display the same behaviour as memory based VAR* types.
      
      From mysql-5.1-telco-6.4, the handling of VAR* types on disk is changed by 
      WL4499, and this patch becomes unnecessary.
      
      HugoTest table D2 is augmented with some VARCHAR and LONGVARCHAR columns.
[11 Nov 2008 12:59] Bugs System 
Pushed into 5.1.29-ndb-6.4.0  (revid:frazer@mysql.com-20081111114042-js0jt91pudzfn9cx) (version source revid:frazer@mysql.com-20081111125417-ub3cfqfr989x8941) (pib:5)
[11 Nov 2008 13:00] Bugs System 
Pushed into 5.1.29-ndb-6.2.17  (revid:frazer@mysql.com-20081111114042-js0jt91pudzfn9cx) (version source revid:frazer@mysql.com-20081111114042-js0jt91pudzfn9cx) (pib:5)
[11 Nov 2008 13:01] Bugs System 
Pushed into 5.1.29-ndb-6.3.19  (revid:frazer@mysql.com-20081111114042-js0jt91pudzfn9cx) (version source revid:frazer@mysql.com-20081111114700-xdvjiptbegj4d875) (pib:5)
[12 Nov 2008 13:05] Jon Stephens 
Documented bugfix in the ndb-6.2.17 and ndb-6.3.19 changelogs as follows:

        Disk-based variable-length columns were not always handled like their
        memory-based equivalents, which could potentially lead to a crash of 
        cluster data nodes.
[12 Dec 2008 23:29] Bugs System 
Pushed into 6.0.9-alpha  (revid:frazer@mysql.com-20081111114042-js0jt91pudzfn9cx) (version source revid:tomas.ulin@sun.com-20081209185954-9svcixh2p5hsfi6w) (pib:5)