From 24e5d564005904bc589fc869ea2f913eec8e6c3a Mon Sep 17 00:00:00 2001 From: Oleg Smirnov Date: Fri, 20 Dec 2024 14:58:33 +0700 Subject: [PATCH] MDEV-35680 Table number > MAX_TABLES causes overflow of table_map at main.join test Fix a regression introduced by commit d98ac851 (MDEV-29935, MDEV-26247) causing MAX_TABLES overflow in `setup_table_map()`. The check for MAX_TABLES was moved outside of the loop that increments table numbers, allowing overflows during loop iterations. Since setup_table_map() operates on a 64-bit bitmap, table numbers exceeding 64 triggered the UBSAN check. This commit returns the overflow check within the loop and adds a debug assertion to `setup_table_map()` to ensure no bitmap overrun occurs. --- sql/sql_base.cc | 14 +++++++++----- sql/sql_base.h | 1 + 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/sql/sql_base.cc b/sql/sql_base.cc index bcab54ac1ec..5c03ba3d42d 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -7862,11 +7862,15 @@ bool setup_tables(THD *thd, Name_resolution_context *context, DBUG_RETURN(1); } tablenr++; - } - if (tablenr > MAX_TABLES) - { - my_error(ER_TOO_MANY_TABLES,MYF(0), static_cast(MAX_TABLES)); - DBUG_RETURN(1); + /* + Test MAX_TABLES overflow here inside the loop as setup_table_map() + called in each iteration is sensitive for this + */ + if (tablenr > MAX_TABLES) + { + my_error(ER_TOO_MANY_TABLES, MYF(0), static_cast(MAX_TABLES)); + DBUG_RETURN(1); + } } if (select_insert && !is_insert_tables_num_set) { diff --git a/sql/sql_base.h b/sql/sql_base.h index 894c8213e66..90c47e69d94 100644 --- a/sql/sql_base.h +++ b/sql/sql_base.h @@ -353,6 +353,7 @@ inline void setup_table_map(TABLE *table, TABLE_LIST *table_list, uint tablenr) table->maybe_null= embedding->outer_join; embedding= embedding->embedding; } + DBUG_ASSERT(tablenr <= MAX_TABLES); table->tablenr= tablenr; table->map= (table_map) 1 << tablenr; table->force_index= table_list->force_index;