Bug #22727 [patch] sizeof(wrong type) allocation may lead to access beyond end of array
Submitted: 27 Sep 2006 7:27 Modified: 11 Dec 2017 16:40
Reporter: Vasil Dimov Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: General Severity:S4 (Feature request)
Version:5.0.26-BK OS:Any (OS/2)
Assigned to: CPU Architecture:Any
Tags: Contribution

[27 Sep 2006 7:27] Vasil Dimov
While digging for another problem I accidentally noticed the following bug in mysql-5.0/mysys/my_os2tls.c:123:TlsGetValue():

An array of TLS_MINIMUM_AVAILABLE "int"s is allocated, than it is casted to an array of "ULONG"s and access is made "index"th member where "index" is guaranteed to be less than TLS_MINIMUM_AVAILABLE.

For systems where sizeof(int) < sizeof(ULONG) (e.g. on amd64 sizeof(int)==4 and sizeof(ULONG)==8) this will lead to bogus results and probably crashes.

How to repeat:
No sure, this code is not included at all in my setup (FreeBSD6/amd64) with default configuration.

Suggested fix:
--- mysql-5.0.orig/mysys/my_os2tls.c    Wed Sep 27 09:26:00 2006
+++ mysql-5.0/mysys/my_os2tls.c Mon Sep 25 17:38:54 2006
@@ -114,19 +114,19 @@
 PVOID TlsGetValue( DWORD index)
   if (index >= TLS_MINIMUM_AVAILABLE)
     return NULL;

   /* verify if memory has been allocated for this thread */
   if (*tls_storage == NULL)
     /* allocate memory for indexes */
-    *tls_storage = (ULONG)calloc( TLS_MINIMUM_AVAILABLE, sizeof(int));
+    *tls_storage = (ULONG)calloc( TLS_MINIMUM_AVAILABLE, sizeof(ULONG));
     /* fprintf(stderr, "tid#%d, tls_storage %x\n", _threadid, *tls_storage); */

   ULONG* tls_array = (ULONG*) *tls_storage;
   return (PVOID) tls_array[index];

 BOOL TlsSetValue( DWORD index, PVOID val)
[27 Sep 2006 7:32] Andrey Hristov
OS/2 support has been removed in 5.1, thus this bug does not affect the 5.1 tree.
[28 Sep 2006 15:44] Vasil Dimov
Set "OS" field to OS/2 since this is OS/2 specific
[28 Sep 2006 15:49] Vasil Dimov
Seems like TlsSetValue has similar problem, so this patch should be considered

Attachment: my_os2tls.c_sizeof.diff (text/x-patch), 773 bytes.

[11 Dec 2017 16:40] Vasil Dimov
This bug has been buried with the removal of the file which contained it, about 11 years ago in eaf850ef5b7.