Bug #63901 Potentially invalid write to a MYISAM_SHARE share object
Submitted: 2 Jan 2012 19:08 Modified: 2 Jan 2012 19:42
Reporter: Davi Arnaut (OCA) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: MyISAM storage engine Severity:S3 (Non-critical)
Version:5.1, 5.5+ OS:Any
Assigned to: CPU Architecture:Any

[2 Jan 2012 19:08] Davi Arnaut
Allocating a MYISAM_SHARE object in the heap when opening a MyISAM table might lead to a invalid write to a MYISAM_SHARE object allocated in the stack.


272     if (!my_multi_malloc(MY_WME,
273                          &share,sizeof(*share),
274                          &share->state.rec_per_key_part,sizeof(long)*key_parts,
289                          &share->key_root_lock, sizeof(mysql_rwlock_t)*keys,
290                          &share->mmap_lock, sizeof(mysql_rwlock_t),
291                          NullS))


216   uint     nonmmaped_inserts;           /* counter of writing in non-mmaped
217                                            area */
218   mysql_rwlock_t mmap_lock;

The mmap_lock field is not a pointer, so it does not need to be explicitly allocated. Also, if the size of the mysql_rwlock_t type is less than the size of a pointer, the stack might be corrupted, but it is highly unlikely.

How to repeat:
Code inspection.

Suggested fix:
@@ -287,7 +287,6 @@ MI_INFO *mi_open(const char *name, int mode, uint open_flags)
                          &share->key_root_lock, sizeof(mysql_rwlock_t)*keys,
-                         &share->mmap_lock, sizeof(mysql_rwlock_t),
       goto err;

Also, suggest to replace the use of "share->" with "share_buff."
[2 Jan 2012 19:42] Marc ALFF
Hi Davi

Verified as described.

-- Marc