| Bug #104884 | btr_copy_externally_stored_field_prefix_func may write beyond the buffer | ||
|---|---|---|---|
| Submitted: | 9 Sep 2021 10:16 | Modified: | 13 Sep 2021 6:08 |
| Reporter: | XIAOFEI WU | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: InnoDB Plugin storage engine | Severity: | S3 (Non-critical) |
| Version: | OS: | Any | |
| Assigned to: | CPU Architecture: | Any | |
[13 Sep 2021 6:08]
Erlend Dahl
According to the InnoDB team, the observation by the filer is correct.
Description: latest 8.0.26 commit: beb865a960b9a8a16cf999c323e46c5b0c67f21f In the function 'btr_copy_externally_stored_field_prefix_func' of lob0lob.cc ``` ulint btr_copy_externally_stored_field_prefix_func(trx_t *trx, const dict_index_t *index, byte *buf, ulint len, const page_size_t &page_size, const byte *data, #ifdef UNIV_DEBUG bool is_sdi, #endif /* UNIV_DEBUG */ ​ulint local_len) { ...... if (UNIV_UNLIKELY(local_len >= len)) { memcpy(buf, data, len); return (len); } memcpy(buf, data, local_len); data += local_len; ...... ulint fetch_len = lob::read(&rctx, rctx.m_blobref, 0, len, buf + local_len); } ``` the last line's parameter 'len' should be 'len - local_len', otherwise the write area may across the preallocated buffer's boundary. How to repeat: purely detected in the code, no cases.