From 88e70f4caea34e0d7677b1fa646151b8b87dd3ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Lindstr=C3=B6m?= <jan.lindstrom@mariadb.com>
Date: Mon, 24 Aug 2020 16:50:53 +0300
Subject: [PATCH] MDEV-23558: Galera heap-buffer-overflow at
 wsrep_schema.cc:1067

Key buffer needs to contain max field widths i.e. add MAX_FIELD_WIDTH.
---
 sql/wsrep_schema.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sql/wsrep_schema.cc b/sql/wsrep_schema.cc
index 619a535f916..df9c7b78c9b 100644
--- a/sql/wsrep_schema.cc
+++ b/sql/wsrep_schema.cc
@@ -935,7 +935,7 @@ int Wsrep_schema::update_fragment_meta(THD* thd,
 
   Wsrep_schema_impl::binlog_off binlog_off(thd);
   int error;
-  uchar key[MAX_KEY_LENGTH];
+  uchar key[MAX_KEY_LENGTH+MAX_FIELD_WIDTH];
   key_part_map key_map= 0;
   TABLE* frag_table= 0;
 
@@ -997,7 +997,7 @@ static int remove_fragment(THD*                  thd,
               seqno.get());
   int ret= 0;
   int error;
-  uchar key[MAX_KEY_LENGTH];
+  uchar key[MAX_KEY_LENGTH+MAX_FIELD_WIDTH];
   key_part_map key_map= 0;
 
   DBUG_ASSERT(server_id.is_undefined() == false);
@@ -1120,7 +1120,7 @@ int Wsrep_schema::replay_transaction(THD* orig_thd,
   int ret= 1;
   int error;
   TABLE* frag_table= 0;
-  uchar key[MAX_KEY_LENGTH];
+  uchar key[MAX_KEY_LENGTH+MAX_FIELD_WIDTH];
   key_part_map key_map= 0;
 
   for (std::vector<wsrep::seqno>::const_iterator i= fragments.begin();