VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 20, 2021· Updated Sep 26, 2024

CVE-2021-2372

CVE-2021-2372

Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).

Affected products

71

Patches

5
2db692f5b4d6

MDEV-26180: Enable test main.sp-row after the 10.5 merge

https://github.com/mariadb/serverOleksandr ByelkinAug 3, 2021via osv
commit
5 files changed · +8 19
  • mysql-test/main/cte_recursive.test+0 4 modified
    @@ -1,7 +1,3 @@
-if (`SELECT $PS_PROTOCOL != 0`)
-{
-   --skip Test temporarily disabled for ps-protocol
-}
 --source include/default_optimizer_switch.inc
 
 create table t1 (a int, b varchar(32));
  • mysql-test/main/func_group.test+0 5 modified
    @@ -2,11 +2,6 @@
 # simple test of all group functions
 #
 
-if (`SELECT $PS_PROTOCOL != 0`)
-{
-   --skip Test temporarily disabled for ps-protocol
-}
-
 --disable_warnings
 drop table if exists t1,t2,t3,t4,t5,t6;
 --enable_warnings
  • mysql-test/main/sp-row.result+1 0 modified
    @@ -228,6 +228,7 @@ CREATE FUNCTION f1(a INT) RETURNS INT
 BEGIN
 RETURN a;
 END;
+$$
 CREATE PROCEDURE p1()
 BEGIN
 DECLARE a ROW (a INT,b INT);
  • mysql-test/main/sp-row.test+7 5 modified
    @@ -2,11 +2,6 @@
 --echo # MDEV-10914 ROW data type for stored routine variables
 --echo #
 
-if (`SELECT $PS_PROTOCOL != 0`)
-{
-   --skip Test temporarily disabled for ps-protocol
-}
-
 --echo #
 --echo # ROW of ROWs is not supported yet
 --echo #
@@ -304,6 +299,7 @@ CREATE FUNCTION f1(a INT) RETURNS INT
 BEGIN
   RETURN a;
 END;
+$$
 CREATE PROCEDURE p1()
 BEGIN
   DECLARE a ROW (a INT,b INT);
@@ -1340,6 +1336,7 @@ DROP PROCEDURE p1;
 
 
 --echo # ROW variable with a wrong column count
+--enable_prepare_warnings
 CREATE TABLE t1 (a INT, b VARCHAR(32));
 INSERT INTO t1 VALUES (10,'b10');
 DELIMITER $$;
@@ -1351,6 +1348,7 @@ BEGIN
 END;
 $$
 DELIMITER ;$$
+--disable_prepare_warnings
 --error ER_WRONG_NUMBER_OF_COLUMNS_IN_SELECT
 CALL p1();
 DROP TABLE t1;
@@ -1360,6 +1358,7 @@ DROP PROCEDURE p1;
 --echo # Multiple ROW variables
 CREATE TABLE t1 (a INT, b VARCHAR(32));
 INSERT INTO t1 VALUES (10,'b10');
+--enable_prepare_warnings
 DELIMITER $$;
 CREATE PROCEDURE p1()
 BEGIN
@@ -1369,6 +1368,7 @@ BEGIN
 END;
 $$
 DELIMITER ;$$
+--disable_prepare_warnings
 --error ER_OPERAND_COLUMNS
 CALL p1();
 DROP TABLE t1;
@@ -1378,6 +1378,7 @@ DROP PROCEDURE p1;
 --echo # ROW variables working example
 CREATE TABLE t1 (a INT, b VARCHAR(32));
 INSERT INTO t1 VALUES (10,'b10');
+--enable_prepare_warnings
 DELIMITER $$;
 CREATE PROCEDURE p1()
 BEGIN
@@ -1387,6 +1388,7 @@ BEGIN
 END;
 $$
 DELIMITER ;$$
+--disable_prepare_warnings
 CALL p1();
 DROP TABLE t1;
 DROP PROCEDURE p1;
  • mysql-test/suite/plugins/t/test_sql_service.test+0 5 modified
    @@ -1,8 +1,3 @@
-if (`SELECT $PS_PROTOCOL != 0`)
-{
-   --skip Test temporarily disabled for ps-protocol
-}
-
 --source include/not_embedded.inc
 
 if (!$TEST_SQL_SERVICE_SO) {
b5569b624083

Update columnstore

https://github.com/mariadb/serverOleksandr ByelkinAug 2, 2021via osv
commit
1 file changed · +1 1
  • storage/columnstore/columnstore+1 1 modified
    @@ -1 +1 @@
-Subproject commit 9797c53e855e190811385e99737ee6d755e7b7fb
+Subproject commit 4d3625bf2181e9d434eab95865e81aff14b6f37c
4902b0fdc91c

Merge branch '10.3' into 10.4

https://github.com/mariadb/serverOleksandr ByelkinAug 2, 2021via osv
commit
9 files changed · +119 50
  • mysql-test/main/processlist_notembedded.result+1 0 modified
    @@ -28,6 +28,7 @@ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 Warnings:
 Note	1003	select sleep(100000)
 KILL QUERY $con_id;
+disconnect con1;
 #
 # End of 10.2 tests
 #
  • mysql-test/main/processlist_notembedded.test+4 3 modified
    @@ -1,4 +1,3 @@
-source include/have_debug.inc;
 source include/have_debug_sync.inc;
 source include/not_embedded.inc;
 source include/count_sessions.inc;
@@ -37,8 +36,6 @@ connection default;
 
 SET DEBUG_SYNC = 'RESET';
 
-source include/wait_until_count_sessions.inc;
-
 --echo #
 --echo # End of 5.5 tests
 --echo #
@@ -52,8 +49,12 @@ source include/wait_until_count_sessions.inc;
 --send select sleep(100000)
 
 --connection default
+let $wait_condition= SELECT COUNT(*)=1 FROM information_schema.processlist where state='User sleep';
+source include/wait_condition.inc;
 evalp SHOW EXPLAIN FOR $con_id;
 evalp KILL QUERY $con_id;
+disconnect con1;
+source include/wait_until_count_sessions.inc;
 
 --echo #
 --echo # End of 10.2 tests
  • mysql-test/suite/gcol/inc/gcol_partition.inc+12 0 modified
    @@ -169,3 +169,15 @@ CREATE TABLE t1 (
 INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-26220 Server crashes with indexed by prefix virtual column
+--echo #
+
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+                 KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+
+# Cleanup
+DROP TABLE t1;
  • mysql-test/suite/gcol/r/gcol_partition_innodb.result+11 0 modified
    @@ -104,6 +104,17 @@ INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
 #
+# MDEV-26220 Server crashes with indexed by prefix virtual column
+#
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+a
+11
+10
+DROP TABLE t1;
+#
 # MDEV-16980 Wrongly set tablename len while opening the
 #                table for purge thread
 #
  • mysql-test/suite/gcol/r/gcol_partition_myisam.result+11 0 modified
    @@ -101,6 +101,17 @@ KEY (b,d)
 INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
+#
+# MDEV-26220 Server crashes with indexed by prefix virtual column
+#
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+a
+11
+10
+DROP TABLE t1;
 DROP VIEW  IF EXISTS v1,v2;
 DROP TABLE IF EXISTS t1,t2,t3;
 DROP PROCEDURE IF EXISTS p1;
  • mysql-test/suite/gcol/r/innodb_virtual_index.result+14 0 modified
    @@ -296,3 +296,17 @@ Table	Op	Msg_type	Msg_text
 test.t1	optimize	note	Table does not support optimize, doing recreate + analyze instead
 test.t1	optimize	status	OK
 DROP TABLE t1;
+#
+# MDEV-20154 Assertion `len <= col->len || ((col->mtype) == 5
+# || (col->mtype) == 14)' failed in row_merge_buf_add
+#
+CREATE TABLE t1 (
+a VARCHAR(2500),
+b VARCHAR(2499) AS (a) VIRTUAL
+) ENGINE=InnoDB;
+INSERT INTO t1 (a) VALUES ('foo');
+ALTER TABLE t1 MODIFY a VARCHAR(2600), ALGORITHM=INPLACE;
+ALTER TABLE t1 ADD KEY (b), ALGORITHM=INPLACE;
+# Cleanup
+DROP TABLE t1;
+# End of 10.2 tests
  • mysql-test/suite/gcol/t/innodb_virtual_index.test+20 0 modified
    @@ -314,3 +314,23 @@ CREATE TABLE t1 (id INT PRIMARY KEY, a CHAR(3),
 INSERT INTO t1 (id,a) VALUES (1,'foo');
 OPTIMIZE TABLE t1;
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-20154 Assertion `len <= col->len || ((col->mtype) == 5
+--echo # || (col->mtype) == 14)' failed in row_merge_buf_add
+--echo #
+
+CREATE TABLE t1 (
+    a VARCHAR(2500),
+    b VARCHAR(2499) AS (a) VIRTUAL
+) ENGINE=InnoDB;
+INSERT INTO t1 (a) VALUES ('foo');
+
+ALTER TABLE t1 MODIFY a VARCHAR(2600), ALGORITHM=INPLACE;
+ALTER TABLE t1 ADD KEY (b), ALGORITHM=INPLACE;
+
+--echo # Cleanup
+DROP TABLE t1;
+
+--echo # End of 10.2 tests
+
  • sql/table.cc+15 0 modified
    @@ -3851,6 +3851,21 @@ enum open_frm_error open_table_from_share(THD *thd, TABLE_SHARE *share,
 
     /* Update to use trigger fields */
     switch_defaults_to_nullable_trigger_fields(outparam);
+
+    for (uint k= 0; k < share->keys; k++)
+    {
+      KEY &key_info= outparam->key_info[k];
+      uint parts = (share->use_ext_keys ? key_info.ext_key_parts :
+                    key_info.user_defined_key_parts);
+      for (uint p= 0; p < parts; p++)
+      {
+        KEY_PART_INFO &kp= key_info.key_part[p];
+        if (kp.field != outparam->field[kp.fieldnr - 1])
+        {
+          kp.field->vcol_info = outparam->field[kp.fieldnr - 1]->vcol_info;
+        }
+      }
+    }
   }
 
 #ifdef WITH_PARTITION_STORAGE_ENGINE
  • storage/innobase/handler/handler0alter.cc+31 47 modified
    @@ -7591,6 +7591,10 @@ alter_fill_stored_column(
 	}
 }
 
+static bool alter_templ_needs_rebuild(const TABLE* altered_table,
+                                      const Alter_inplace_info* ha_alter_info,
+                                      const dict_table_t* table);
+
 
 /** Allows InnoDB to update internal structures with concurrent
 writes blocked (provided that check_if_supported_inplace_alter()
@@ -7738,11 +7742,7 @@ ha_innobase::prepare_inplace_alter_table(
 		    ha_alter_info->key_count)) {
 err_exit_no_heap:
 		DBUG_ASSERT(m_prebuilt->trx->dict_operation_lock_mode == 0);
-		if (ha_alter_info->handler_flags & ~INNOBASE_INPLACE_IGNORE) {
-
-			online_retry_drop_indexes(
-				m_prebuilt->table, m_user_thd);
-		}
+		online_retry_drop_indexes(m_prebuilt->table, m_user_thd);
 		DBUG_RETURN(true);
 	}
 
@@ -8198,9 +8198,9 @@ ha_innobase::prepare_inplace_alter_table(
 		== ALTER_OPTIONS
 		&& !alter_options_need_rebuild(ha_alter_info, table))) {
 
+		ha_innobase_inplace_ctx *ctx = NULL;
 		if (heap) {
-			ha_alter_info->handler_ctx
-				= new ha_innobase_inplace_ctx(
+			ctx = new ha_innobase_inplace_ctx(
 					m_prebuilt,
 					drop_index, n_drop_index,
 					drop_fk, n_drop_fk,
@@ -8212,15 +8212,11 @@ ha_innobase::prepare_inplace_alter_table(
 					 || !thd_is_strict_mode(m_user_thd)),
 					alt_opt.page_compressed,
 					alt_opt.page_compression_level);
+			ha_alter_info->handler_ctx = ctx;
 		}
 
 		DBUG_ASSERT(m_prebuilt->trx->dict_operation_lock_mode == 0);
-		if (ha_alter_info->handler_flags & ~(INNOBASE_INPLACE_IGNORE)) {
-
-			online_retry_drop_indexes(
-				m_prebuilt->table, m_user_thd);
-
-		}
+		online_retry_drop_indexes(m_prebuilt->table, m_user_thd);
 
 		if ((ha_alter_info->handler_flags
 		     & ALTER_DROP_VIRTUAL_COLUMN)
@@ -8235,6 +8231,24 @@ ha_innobase::prepare_inplace_alter_table(
 			DBUG_RETURN(true);
 		}
 
+		if (!(ha_alter_info->handler_flags & INNOBASE_ALTER_DATA)
+		    && alter_templ_needs_rebuild(altered_table, ha_alter_info,
+						 ctx->new_table)
+		    && ctx->new_table->n_v_cols > 0) {
+			/* Changing maria record structure may end up here only
+			if virtual columns were altered. In this case, however,
+			vc_templ should be rebuilt. Since we don't actually
+			change any stored data, we can just dispose vc_templ;
+			it will be recreated on next ha_innobase::open(). */
+
+			DBUG_ASSERT(ctx->new_table == ctx->old_table);
+
+			dict_free_vc_templ(ctx->new_table->vc_templ);
+			UT_DELETE(ctx->new_table->vc_templ);
+
+			ctx->new_table->vc_templ = NULL;
+		}
+
 		DBUG_RETURN(false);
 	}
 
@@ -8346,35 +8360,6 @@ ha_innobase::prepare_inplace_alter_table(
 			    add_fts_doc_id_idx));
 }
 
-/** Check that the column is part of a virtual index(index contains
-virtual column) in the table
-@param[in]	table		Table containing column
-@param[in]	col		column to be checked
-@return true if this column is indexed with other virtual columns */
-static
-bool
-dict_col_in_v_indexes(
-	dict_table_t*	table,
-	dict_col_t*	col)
-{
-	for (dict_index_t* index = dict_table_get_next_index(
-		dict_table_get_first_index(table)); index != NULL;
-		index = dict_table_get_next_index(index)) {
-		if (!dict_index_has_virtual(index)) {
-			continue;
-		}
-		for (ulint k = 0; k < index->n_fields; k++) {
-			dict_field_t*   field
-				= dict_index_get_nth_field(index, k);
-			if (field->col->ind == col->ind) {
-				return(true);
-			}
-		}
-	}
-
-	return(false);
-}
-
 /* Check whether a columnn length change alter operation requires
 to rebuild the template.
 @param[in]	altered_table	TABLE object for new version of table.
@@ -8386,9 +8371,9 @@ to rebuild the template.
 static
 bool
 alter_templ_needs_rebuild(
-	TABLE*                  altered_table,
-	Alter_inplace_info*     ha_alter_info,
-	dict_table_t*		table)
+	const TABLE*            altered_table,
+	const Alter_inplace_info*     ha_alter_info,
+	const dict_table_t*		table)
 {
         ulint	i = 0;
 
@@ -8398,8 +8383,7 @@ alter_templ_needs_rebuild(
 			for (ulint j=0; j < table->n_cols; j++) {
 				dict_col_t* cols
                                    = dict_table_get_nth_col(table, j);
-				if (cf.length > cols->len
-				    && dict_col_in_v_indexes(table, cols)) {
+				if (cf.length > cols->len) {
 					return(true);
 				}
 			}
7f264997dd21

Merge branch '10.2' into 10.3

https://github.com/mariadb/serverOleksandr ByelkinAug 2, 2021via osv
commit
9 files changed · +119 50
  • mysql-test/main/processlist_notembedded.result+1 0 modified
    @@ -28,6 +28,7 @@ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 Warnings:
 Note	1003	select sleep(100000)
 KILL QUERY $con_id;
+disconnect con1;
 #
 # End of 10.2 tests
 #
  • mysql-test/main/processlist_notembedded.test+4 3 modified
    @@ -1,4 +1,3 @@
-source include/have_debug.inc;
 source include/have_debug_sync.inc;
 source include/not_embedded.inc;
 source include/count_sessions.inc;
@@ -37,8 +36,6 @@ connection default;
 
 SET DEBUG_SYNC = 'RESET';
 
-source include/wait_until_count_sessions.inc;
-
 --echo #
 --echo # End of 5.5 tests
 --echo #
@@ -52,8 +49,12 @@ source include/wait_until_count_sessions.inc;
 --send select sleep(100000)
 
 --connection default
+let $wait_condition= SELECT COUNT(*)=1 FROM information_schema.processlist where state='User sleep';
+source include/wait_condition.inc;
 evalp SHOW EXPLAIN FOR $con_id;
 evalp KILL QUERY $con_id;
+disconnect con1;
+source include/wait_until_count_sessions.inc;
 
 --echo #
 --echo # End of 10.2 tests
  • mysql-test/suite/gcol/inc/gcol_partition.inc+12 0 modified
    @@ -169,3 +169,15 @@ CREATE TABLE t1 (
 INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-26220 Server crashes with indexed by prefix virtual column
+--echo #
+
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+                 KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+
+# Cleanup
+DROP TABLE t1;
  • mysql-test/suite/gcol/r/gcol_partition_innodb.result+11 0 modified
    @@ -104,6 +104,17 @@ INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
 #
+# MDEV-26220 Server crashes with indexed by prefix virtual column
+#
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+a
+11
+10
+DROP TABLE t1;
+#
 # MDEV-16980 Wrongly set tablename len while opening the
 #                table for purge thread
 #
  • mysql-test/suite/gcol/r/gcol_partition_myisam.result+11 0 modified
    @@ -101,6 +101,17 @@ KEY (b,d)
 INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
+#
+# MDEV-26220 Server crashes with indexed by prefix virtual column
+#
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+a
+11
+10
+DROP TABLE t1;
 DROP VIEW  IF EXISTS v1,v2;
 DROP TABLE IF EXISTS t1,t2,t3;
 DROP PROCEDURE IF EXISTS p1;
  • mysql-test/suite/gcol/r/innodb_virtual_index.result+14 0 modified
    @@ -296,3 +296,17 @@ Table	Op	Msg_type	Msg_text
 test.t1	optimize	note	Table does not support optimize, doing recreate + analyze instead
 test.t1	optimize	status	OK
 DROP TABLE t1;
+#
+# MDEV-20154 Assertion `len <= col->len || ((col->mtype) == 5
+# || (col->mtype) == 14)' failed in row_merge_buf_add
+#
+CREATE TABLE t1 (
+a VARCHAR(2500),
+b VARCHAR(2499) AS (a) VIRTUAL
+) ENGINE=InnoDB;
+INSERT INTO t1 (a) VALUES ('foo');
+ALTER TABLE t1 MODIFY a VARCHAR(2600), ALGORITHM=INPLACE;
+ALTER TABLE t1 ADD KEY (b), ALGORITHM=INPLACE;
+# Cleanup
+DROP TABLE t1;
+# End of 10.2 tests
  • mysql-test/suite/gcol/t/innodb_virtual_index.test+20 0 modified
    @@ -314,3 +314,23 @@ CREATE TABLE t1 (id INT PRIMARY KEY, a CHAR(3),
 INSERT INTO t1 (id,a) VALUES (1,'foo');
 OPTIMIZE TABLE t1;
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-20154 Assertion `len <= col->len || ((col->mtype) == 5
+--echo # || (col->mtype) == 14)' failed in row_merge_buf_add
+--echo #
+
+CREATE TABLE t1 (
+    a VARCHAR(2500),
+    b VARCHAR(2499) AS (a) VIRTUAL
+) ENGINE=InnoDB;
+INSERT INTO t1 (a) VALUES ('foo');
+
+ALTER TABLE t1 MODIFY a VARCHAR(2600), ALGORITHM=INPLACE;
+ALTER TABLE t1 ADD KEY (b), ALGORITHM=INPLACE;
+
+--echo # Cleanup
+DROP TABLE t1;
+
+--echo # End of 10.2 tests
+
  • sql/table.cc+15 0 modified
    @@ -3436,6 +3436,21 @@ enum open_frm_error open_table_from_share(THD *thd, TABLE_SHARE *share,
 
     /* Update to use trigger fields */
     switch_defaults_to_nullable_trigger_fields(outparam);
+
+    for (uint k= 0; k < share->keys; k++)
+    {
+      KEY &key_info= outparam->key_info[k];
+      uint parts = (share->use_ext_keys ? key_info.ext_key_parts :
+                    key_info.user_defined_key_parts);
+      for (uint p= 0; p < parts; p++)
+      {
+        KEY_PART_INFO &kp= key_info.key_part[p];
+        if (kp.field != outparam->field[kp.fieldnr - 1])
+        {
+          kp.field->vcol_info = outparam->field[kp.fieldnr - 1]->vcol_info;
+        }
+      }
+    }
   }
 
 #ifdef WITH_PARTITION_STORAGE_ENGINE
  • storage/innobase/handler/handler0alter.cc+31 47 modified
    @@ -6245,6 +6245,10 @@ alter_fill_stored_column(
 	}
 }
 
+static bool alter_templ_needs_rebuild(const TABLE* altered_table,
+                                      const Alter_inplace_info* ha_alter_info,
+                                      const dict_table_t* table);
+
 
 /** Allows InnoDB to update internal structures with concurrent
 writes blocked (provided that check_if_supported_inplace_alter()
@@ -6394,11 +6398,7 @@ ha_innobase::prepare_inplace_alter_table(
 		    ha_alter_info->key_count)) {
 err_exit_no_heap:
 		DBUG_ASSERT(m_prebuilt->trx->dict_operation_lock_mode == 0);
-		if (ha_alter_info->handler_flags & ~INNOBASE_INPLACE_IGNORE) {
-
-			online_retry_drop_indexes(
-				m_prebuilt->table, m_user_thd);
-		}
+		online_retry_drop_indexes(m_prebuilt->table, m_user_thd);
 		DBUG_RETURN(true);
 	}
 
@@ -6849,9 +6849,9 @@ ha_innobase::prepare_inplace_alter_table(
 		== ALTER_OPTIONS
 		&& !alter_options_need_rebuild(ha_alter_info, table))) {
 
+		ha_innobase_inplace_ctx *ctx = NULL;
 		if (heap) {
-			ha_alter_info->handler_ctx
-				= new ha_innobase_inplace_ctx(
+			ctx = new ha_innobase_inplace_ctx(
 					m_prebuilt,
 					drop_index, n_drop_index,
 					rename_index, n_rename_index,
@@ -6864,15 +6864,11 @@ ha_innobase::prepare_inplace_alter_table(
 					 || !thd_is_strict_mode(m_user_thd)),
 					alt_opt.page_compressed,
 					alt_opt.page_compression_level);
+			ha_alter_info->handler_ctx = ctx;
 		}
 
 		DBUG_ASSERT(m_prebuilt->trx->dict_operation_lock_mode == 0);
-		if (ha_alter_info->handler_flags & ~(INNOBASE_INPLACE_IGNORE)) {
-
-			online_retry_drop_indexes(
-				m_prebuilt->table, m_user_thd);
-
-		}
+		online_retry_drop_indexes(m_prebuilt->table, m_user_thd);
 
 		if ((ha_alter_info->handler_flags
 		     & ALTER_DROP_VIRTUAL_COLUMN)
@@ -6887,6 +6883,24 @@ ha_innobase::prepare_inplace_alter_table(
 			DBUG_RETURN(true);
 		}
 
+		if (!(ha_alter_info->handler_flags & INNOBASE_ALTER_DATA)
+		    && alter_templ_needs_rebuild(altered_table, ha_alter_info,
+						 ctx->new_table)
+		    && ctx->new_table->n_v_cols > 0) {
+			/* Changing maria record structure may end up here only
+			if virtual columns were altered. In this case, however,
+			vc_templ should be rebuilt. Since we don't actually
+			change any stored data, we can just dispose vc_templ;
+			it will be recreated on next ha_innobase::open(). */
+
+			DBUG_ASSERT(ctx->new_table == ctx->old_table);
+
+			dict_free_vc_templ(ctx->new_table->vc_templ);
+			UT_DELETE(ctx->new_table->vc_templ);
+
+			ctx->new_table->vc_templ = NULL;
+		}
+
 		DBUG_RETURN(false);
 	}
 
@@ -7000,35 +7014,6 @@ ha_innobase::prepare_inplace_alter_table(
 			    add_fts_doc_id_idx));
 }
 
-/** Check that the column is part of a virtual index(index contains
-virtual column) in the table
-@param[in]	table		Table containing column
-@param[in]	col		column to be checked
-@return true if this column is indexed with other virtual columns */
-static
-bool
-dict_col_in_v_indexes(
-	dict_table_t*	table,
-	dict_col_t*	col)
-{
-	for (dict_index_t* index = dict_table_get_next_index(
-		dict_table_get_first_index(table)); index != NULL;
-		index = dict_table_get_next_index(index)) {
-		if (!dict_index_has_virtual(index)) {
-			continue;
-		}
-		for (ulint k = 0; k < index->n_fields; k++) {
-			dict_field_t*   field
-				= dict_index_get_nth_field(index, k);
-			if (field->col->ind == col->ind) {
-				return(true);
-			}
-		}
-	}
-
-	return(false);
-}
-
 /* Check whether a columnn length change alter operation requires
 to rebuild the template.
 @param[in]	altered_table	TABLE object for new version of table.
@@ -7040,9 +7025,9 @@ to rebuild the template.
 static
 bool
 alter_templ_needs_rebuild(
-	TABLE*                  altered_table,
-	Alter_inplace_info*     ha_alter_info,
-	dict_table_t*		table)
+	const TABLE*            altered_table,
+	const Alter_inplace_info*     ha_alter_info,
+	const dict_table_t*		table)
 {
         ulint	i = 0;
         List_iterator_fast<Create_field>  cf_it(
@@ -7054,8 +7039,7 @@ alter_templ_needs_rebuild(
 			for (ulint j=0; j < table->n_cols; j++) {
 				dict_col_t* cols
                                    = dict_table_get_nth_col(table, j);
-				if (cf->length > cols->len
-				    && dict_col_in_v_indexes(table, cols)) {
+				if (cf->length > cols->len) {
 					return(true);
 				}
 			}
b549af691370

MDEV-26220 Server crashes with indexed by prefix virtual column

https://github.com/mariadb/serverNikita MalyavinJul 23, 2021via osv
commit
4 files changed · +49 0
  • mysql-test/suite/gcol/inc/gcol_partition.inc+12 0 modified
    @@ -169,3 +169,15 @@ CREATE TABLE t1 (
 INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-26220 Server crashes with indexed by prefix virtual column
+--echo #
+
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+                 KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+
+# Cleanup
+DROP TABLE t1;
  • mysql-test/suite/gcol/r/gcol_partition_innodb.result+11 0 modified
    @@ -104,6 +104,17 @@ INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
 #
+# MDEV-26220 Server crashes with indexed by prefix virtual column
+#
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+a
+11
+10
+DROP TABLE t1;
+#
 # MDEV-16980 Wrongly set tablename len while opening the
 #                table for purge thread
 #
  • mysql-test/suite/gcol/r/gcol_partition_myisam.result+11 0 modified
    @@ -101,6 +101,17 @@ KEY (b,d)
 INSERT INTO t1 () VALUES (),();
 UPDATE t1 SET a = 0 WHERE b IS NULL ORDER BY pk;
 DROP TABLE t1;
+#
+# MDEV-26220 Server crashes with indexed by prefix virtual column
+#
+CREATE TABLE t1 (pk INT PRIMARY KEY, a INT, b CHAR(20), c CHAR(20) AS (b),
+KEY (c(10),a)) PARTITION BY HASH(pk);
+INSERT INTO t1 (pk,a,b) VALUES (1,10,'foo'),(2,11,'baz');
+SELECT a FROM t1;
+a
+11
+10
+DROP TABLE t1;
 DROP VIEW  IF EXISTS v1,v2;
 DROP TABLE IF EXISTS t1,t2,t3;
 DROP PROCEDURE IF EXISTS p1;
  • sql/table.cc+15 0 modified
    @@ -3284,6 +3284,21 @@ enum open_frm_error open_table_from_share(THD *thd, TABLE_SHARE *share,
 
     /* Update to use trigger fields */
     switch_defaults_to_nullable_trigger_fields(outparam);
+
+    for (uint k= 0; k < share->keys; k++)
+    {
+      KEY &key_info= outparam->key_info[k];
+      uint parts = (share->use_ext_keys ? key_info.ext_key_parts :
+                    key_info.user_defined_key_parts);
+      for (uint p= 0; p < parts; p++)
+      {
+        KEY_PART_INFO &kp= key_info.key_part[p];
+        if (kp.field != outparam->field[kp.fieldnr - 1])
+        {
+          kp.field->vcol_info = outparam->field[kp.fieldnr - 1]->vcol_info;
+        }
+      }
+    }
   }
 
 #ifdef WITH_PARTITION_STORAGE_ENGINE

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.