From f521b8ac219102332eec99f854809e6331b3dbce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marko=20M=C3=A4kel=C3=A4?= Date: Fri, 17 Jan 2025 12:34:03 +0200 Subject: [PATCH] MDEV-35723: applying non-zero offset to null pointer in INSERT row_mysql_read_blob_ref(): Correctly handle what Field_blob::store() generates for length=0. --- mysql-test/suite/innodb/r/innodb.result | 6 ++++++ mysql-test/suite/innodb/t/innodb.test | 7 +++++++ storage/innobase/row/row0mysql.cc | 8 ++++++++ 3 files changed, 21 insertions(+) diff --git a/mysql-test/suite/innodb/r/innodb.result b/mysql-test/suite/innodb/r/innodb.result index e1d99c3b731..8d6aa0332e0 100644 --- a/mysql-test/suite/innodb/r/innodb.result +++ b/mysql-test/suite/innodb/r/innodb.result @@ -3337,3 +3337,9 @@ Table Op Msg_type Msg_text test.t1 check status OK ALTER TABLE t1 FORCE; DROP TABLE t1; +# +# MDEV-35723: applying zero offset to null pointer on INSERT +# +CREATE TABLE t1(c TEXT(1) NOT NULL, INDEX (c)) ENGINE=InnoDB; +INSERT INTO t1 SET c=''; +DROP TABLE t1; diff --git a/mysql-test/suite/innodb/t/innodb.test b/mysql-test/suite/innodb/t/innodb.test index ec217715aef..73baf7ed7ba 100644 --- a/mysql-test/suite/innodb/t/innodb.test +++ b/mysql-test/suite/innodb/t/innodb.test @@ -2605,3 +2605,10 @@ CHECK TABLE t1; ALTER TABLE t1 FORCE; # Cleanup DROP TABLE t1; + +--echo # +--echo # MDEV-35723: applying zero offset to null pointer on INSERT +--echo # +CREATE TABLE t1(c TEXT(1) NOT NULL, INDEX (c)) ENGINE=InnoDB; +INSERT INTO t1 SET c=''; +DROP TABLE t1; diff --git a/storage/innobase/row/row0mysql.cc b/storage/innobase/row/row0mysql.cc index 4e7cd6b0b37..09b4bff16b9 100644 --- a/storage/innobase/row/row0mysql.cc +++ b/storage/innobase/row/row0mysql.cc @@ -244,6 +244,14 @@ row_mysql_read_blob_ref( *len = mach_read_from_n_little_endian(ref, col_len - 8); + if (!*len) { + /* Field_blob::store() if (!length) would encode both + the length and the pointer in the same area. An empty + string must be a valid (nonnull) pointer in the + collation functions that cmp_data() may invoke. */ + return ref; + } + memcpy(&data, ref + col_len - 8, sizeof data); return(data);