Skip to content

Commit 707e607

Browse files
author
Shaohua Wang
committed
BUG#22291765 INSERT A TOKEN OF 84 4-BYTES CHARS INTO FTS INDEX
 CAUSES SERVER CRASH we allow max token size up to 84 in both MyISAM and InnoDB, but we suppose max multiple-bytes char length is 3 bytes, which is not true. We support 4 bytes chars, e.g. in utf8mb4. So inserting a token of 84 4-bytes chars will cause server crash. Reviewed-by: Jimmy Yang <[email protected]> Reviewed-by: Xing Zhang <[email protected]> RB: 11210
1 parent 5eb6d46 commit 707e607

2 files changed

Lines changed: 9 additions & 8 deletions

File tree

include/ft_global.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
1+
/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
22
33
This program is free software; you can redistribute it and/or modify
44
it under the terms of the GNU General Public License as published by
@@ -25,8 +25,8 @@
2525
extern "C" {
2626
#endif
2727

28-
#define HA_FT_MAXBYTELEN 254
29-
#define HA_FT_MAXCHARLEN (HA_FT_MAXBYTELEN/3)
28+
#define HA_FT_MAXBYTELEN 336
29+
#define HA_FT_MAXCHARLEN (HA_FT_MAXBYTELEN/4)
3030

3131
#define DEFAULT_FTB_SYNTAX "+ -><()~*:\"\"&|"
3232

storage/innobase/fts/fts0opt.cc

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -580,7 +580,7 @@ fts_zip_read_word(
580580
#ifdef UNIV_DEBUG
581581
ulint i;
582582
#endif
583-
byte len = 0;
583+
short len = 0;
584584
void* null = NULL;
585585
byte* ptr = word->f_str;
586586
int flush = Z_NO_FLUSH;
@@ -590,7 +590,7 @@ fts_zip_read_word(
590590
return(NULL);
591591
}
592592

593-
zip->zp->next_out = &len;
593+
zip->zp->next_out = reinterpret_cast<byte*>(&len);
594594
zip->zp->avail_out = sizeof(len);
595595

596596
while (zip->status == Z_OK && zip->zp->avail_out > 0) {
@@ -688,11 +688,12 @@ fts_fetch_index_words(
688688
fts_zip_t* zip = static_cast<fts_zip_t*>(user_arg);
689689
que_node_t* exp = sel_node->select_list;
690690
dfield_t* dfield = que_node_get_val(exp);
691-
byte len = (byte) dfield_get_len(dfield);
691+
short len = static_cast<short>(dfield_get_len(dfield));
692692
void* data = dfield_get_data(dfield);
693693

694694
/* Skip the duplicate words. */
695-
if (zip->word.f_len == len && !memcmp(zip->word.f_str, data, len)) {
695+
if (zip->word.f_len == static_cast<ulint>(len)
696+
&& !memcmp(zip->word.f_str, data, len)) {
696697

697698
return(TRUE);
698699
}
@@ -706,7 +707,7 @@ fts_fetch_index_words(
706707
ut_a(zip->zp->next_in == NULL);
707708

708709
/* The string is prefixed by len. */
709-
zip->zp->next_in = &len;
710+
zip->zp->next_in = reinterpret_cast<byte*>(&len);
710711
zip->zp->avail_in = sizeof(len);
711712

712713
/* Compress the word, create output blocks as necessary. */

0 commit comments

Comments
 (0)