Hi, Alexander! On Jun 20, Alexander Barkov wrote:

Hi Sergei,

Please review a patch for mdev-10020.

The problem was that the loop in get_func_mm_tree() accessed an improperly initialized instance of String, which is a bzero'ed part of the in_vector::base array.

Could you, please, show complete commits in the future? Like, commit first, then put the output of "git show" in the email. Or fix the post-commit email trigger to work. In this particular case I would've liked to see how much of your fine explanation will go into commit comment.

Strings in in_vector::base are initialized in Item_func_in::fix_length_and_dec(): in in_vector::in_vector() using sql_calloc, rather than a String constructor, so its str_charset member of this String is NULL.

Strings in in_vector::base are later initialized in Item_func_in::fix_length_and_dec(), using array->set(), in this code:

NULLs are not taken into account, so array->used_count can be smaller than array->count.

This patch fixes the loop in opt_range.cc, in get_func_mm_tree(), to access only properly initialized elements in in_vector::base, preventing access to its bzero'ed non-initialized tail.

ok to push!

diff --git a/sql/opt_range.cc b/sql/opt_range.cc index f051ed0..ae5899d 100644 --- a/sql/opt_range.cc +++ b/sql/opt_range.cc @@ -7730,7 +7730,7 @@ static SEL_TREE *get_func_mm_tree(RANGE_OPT_PARAM *param, Item_func *cond_func, break; } SEL_TREE *tree2; - for (; i < func->array->count; i++) + for (; i < func->array->used_count; i++) { if (func->array->compare_elems(i, i-1)) {

Regards, Sergei Chief Architect MariaDB and security@mariadb.org