Bug #40321 ha_myisam::info could update rec_per_key incorrectly
Submitted: 24 Oct 2008 20:59 Modified: 19 Mar 2009 3:45
Reporter: Mark Callaghan Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: MyISAM storage engine Severity:S3 (Non-critical)
Version:5.0.67,5.1.26, 4.1, 5.0, 5.1, 6.0 bzr OS:Any
Assigned to: Anurag Shekhar CPU Architecture:Any
Tags: ha_myisam::info, rec_per_key

[24 Oct 2008 20:59] Mark Callaghan
Description:
ha_myisam::info() has this code:

    if (share->key_parts)
      memcpy((char*) table->key_info[0].rec_per_key,
             (char*) misam_info.rec_per_key,
             sizeof(table->key_info[0].rec_per_key)*share->key_parts);

table->key_info[0].rec_per_key has type ulong*, not ulong. As this code is trying to copy elements of the rec_per_key array, this should use:

    if (share->key_parts)
      memcpy((char*) table->key_info[0].rec_per_key,
             (char*) misam_info.rec_per_key,
             sizeof(table->key_info[0].rec_per_key[0])*share->key_parts);

On my platforms sizeof(ulong) == sizeof(ulong*), so this isn't a problem.

How to repeat:
NA

Suggested fix:
NA
[27 Oct 2008 9:16] Sveta Smirnova
Thank you for the report.

Verified as described.
[5 Feb 2009 11:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65312

2768 Anurag Shekhar	2009-02-05
      Bug#40321 ha_myisam::info could update rec_per_key incorrectly
      
      At line number 1753 during memcopy sizeof ulong and not ulong * as it 
      may fail on platforms where sizeof (ulong) != sizeof (ulong *)
[6 Feb 2009 9:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65444

2768 Anurag Shekhar	2009-02-06
      Bug#40321 ha_myisam::info could update rec_per_key incorrectly
      
      MyISAM did copy of key statistics incorrectly, which may cause server crash
      or incorrect cardinality values. This may happen only on platforms where size
      of long differs from size of pointer.
      
      To determine number of bytes to be copied from array of ulong, MyISAM
      mistakenly used sizoef(pointer) instead of sizeof(ulong).
[13 Feb 2009 11:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/66182

2806 Anurag Shekhar	2009-02-13
      Bug#40321 ha_myisam::info could update rec_per_key incorrectly
            
            MyISAM did copy of key statistics incorrectly, which may cause
      server crash or incorrect cardinality values. This may happen only on
      platforms where size of long differs from size of pointer.
            
            To determine number of bytes to be copied from array of ulong,
      MyISAM mistakenly used sizoef(pointer) instead of sizeof(ulong).
[13 Mar 2009 19:05] Bugs System
Pushed into 5.1.33 (revid:joro@sun.com-20090313111355-7bsi1hgkvrg8pdds) (version source revid:azundris@mysql.com-20090224070618-mr7stu6rfcvoj18g) (merge vers: 5.1.33) (pib:6)
[18 Mar 2009 13:18] Bugs System
Pushed into 6.0.11-alpha (revid:joro@sun.com-20090318122208-1b5kvg6zeb4hxwp9) (version source revid:azundris@mysql.com-20090224072212-51w0xg6doju2drup) (merge vers: 6.0.10-alpha) (pib:6)
[19 Mar 2009 3:45] Paul Dubois
Noted in 5.1.33, 6.0.11 changelogs.

On platforms where long and pointer variables have different sizes,
MyISAM could copy key statistics incorrectly, resulting in a server
crash or incorrect cardinality values.
[9 May 2009 16:43] Bugs System
Pushed into 5.1.34-ndb-6.2.18 (revid:jonas@mysql.com-20090508185236-p9b3as7qyauybefl) (version source revid:jonas@mysql.com-20090508100057-30ote4xggi4nq14v) (merge vers: 5.1.33-ndb-6.2.18) (pib:6)
[9 May 2009 17:40] Bugs System
Pushed into 5.1.34-ndb-6.3.25 (revid:jonas@mysql.com-20090509063138-1u3q3v09wnn2txyt) (version source revid:jonas@mysql.com-20090508175813-s6yele2z3oh6o99z) (merge vers: 5.1.33-ndb-6.3.25) (pib:6)
[9 May 2009 18:37] Bugs System
Pushed into 5.1.34-ndb-7.0.6 (revid:jonas@mysql.com-20090509154927-im9a7g846c6u1hzc) (version source revid:jonas@mysql.com-20090509073226-09bljakh9eppogec) (merge vers: 5.1.33-ndb-7.0.6) (pib:6)