MDEV-30732 : wsrep_store_key_val_for_row() may invoke memcpy() on nullptr

janlindstrom · janlindstrom · commit 33023ba44d02 · 2025-09-24T14:31:59.000+03:00
Problem was that row_mysql_read_blob_ref can return NULL
in case when blob datatype is used in a key and its real
value is NULL. This NULL pointer is then used in memcpy
function in wsrep_store_key_val_for_row. However,
memcpy is defined so that argument 2 must not be NULL.

Fixed by adding conditions before memcpy functions so
that argument 2 is always non NULL.
diff --git a/mysql-test/suite/galera/r/MDEV-30732.result b/mysql-test/suite/galera/r/MDEV-30732.result
@@ -0,0 +1,41 @@
+connection node_2;
+connection node_1;
+SET GLOBAL sql_mode=0;
+SET sql_mode=DEFAULT;
+CREATE TABLE t (c INT,c2 BLOB NOT NULL,KEY k2 (c2 (1),c)) DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT;
+INSERT INTO t (c) VALUES (1),(1),(1),(1),(1);
+Warnings:
+Warning	1364	Field 'c2' doesn't have a default value
+SELECT * FROM t;
+c	c2
+1	
+1	
+1	
+1	
+1	
+DROP TABLE t;
+CREATE TABLE t (c INT,c2 VARCHAR(270) NOT NULL,KEY k2 (c2 (1),c)) DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT;
+INSERT INTO t (c) VALUES (1),(1),(1),(1),(1);
+Warnings:
+Warning	1364	Field 'c2' doesn't have a default value
+SELECT * FROM t;
+c	c2
+1	
+1	
+1	
+1	
+1	
+DROP TABLE t;
+CREATE TABLE t (c INT,c2 CHAR(80) NOT NULL,KEY k2 (c2 (1),c)) DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT;
+INSERT INTO t (c) VALUES (1),(1),(1),(1),(1);
+Warnings:
+Warning	1364	Field 'c2' doesn't have a default value
+SELECT * FROM t;
+c	c2
+1	
+1	
+1	
+1	
+1	
+DROP TABLE t;
+SET GLOBAL sql_mode=DEFAULT;
diff --git a/mysql-test/suite/galera/t/MDEV-30732.test b/mysql-test/suite/galera/t/MDEV-30732.test
@@ -0,0 +1,18 @@
+--source include/galera_cluster.inc
+
+SET GLOBAL sql_mode=0;
+SET sql_mode=DEFAULT;
+CREATE TABLE t (c INT,c2 BLOB NOT NULL,KEY k2 (c2 (1),c)) DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT;
+INSERT INTO t (c) VALUES (1),(1),(1),(1),(1);
+SELECT * FROM t;
+DROP TABLE t;
+CREATE TABLE t (c INT,c2 VARCHAR(270) NOT NULL,KEY k2 (c2 (1),c)) DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT;
+INSERT INTO t (c) VALUES (1),(1),(1),(1),(1);
+SELECT * FROM t;
+DROP TABLE t;
+CREATE TABLE t (c INT,c2 CHAR(80) NOT NULL,KEY k2 (c2 (1),c)) DEFAULT CHARSET=latin1 ROW_FORMAT=COMPACT;
+INSERT INTO t (c) VALUES (1),(1),(1),(1),(1);
+SELECT * FROM t;
+DROP TABLE t;
+
+SET GLOBAL sql_mode=DEFAULT;
diff --git a/storage/innobase/handler/ha_innodb.cc b/storage/innobase/handler/ha_innodb.cc
@@ -6675,8 +6675,9 @@ wsrep_store_key_val_for_row(
 	*key_is_null = true;
 
 	for (; key_part != end; key_part++) {
-		uchar sorted[REC_VERSION_56_MAX_INDEX_COL_LEN] = {'\0'};
+		uchar sorted[REC_VERSION_56_MAX_INDEX_COL_LEN];
 		bool part_is_null = false;
+		memset(sorted, 0, sizeof(sorted));
 
 		if (key_part->null_bit) {
 			if (buff_space > 0) {
@@ -6755,13 +6756,17 @@ wsrep_store_key_val_for_row(
 			/* cannot exceed max column lenght either, we may need to truncate
 			the stored value: */
 			if (true_len > sizeof(sorted)) {
-			  true_len = sizeof(sorted);
+				true_len = sizeof(sorted);
 			}
 
-			memcpy(sorted, data, true_len);
-			true_len = wsrep_innobase_mysql_sort(
-				mysql_type, cs->number, sorted, true_len,
-				REC_VERSION_56_MAX_INDEX_COL_LEN);
+			ut_ad(data || (data == nullptr && true_len == 0));
+			if (data) {
+				memcpy(sorted, data, true_len);
+
+				true_len = wsrep_innobase_mysql_sort(
+					mysql_type, cs->number, sorted, true_len,
+					REC_VERSION_56_MAX_INDEX_COL_LEN);
+			}
 			if (wsrep_protocol_version > 1) {
 				/* Note that we always reserve the maximum possible
 				length of the true VARCHAR in the key value, though
@@ -6774,7 +6779,7 @@ wsrep_store_key_val_for_row(
 						 wsrep_thd_query(thd));
 					true_len = buff_space;
 				}
- 				memcpy(buff, sorted, true_len);
+				memcpy(buff, sorted, true_len);
 				buff += true_len;
 				buff_space -= true_len;
 			} else {
@@ -6846,11 +6851,14 @@ wsrep_store_key_val_for_row(
 				true_len = key_len;
 			}
 
-			memcpy(sorted, blob_data, true_len);
-			true_len = wsrep_innobase_mysql_sort(
-				mysql_type, cs->number, sorted, true_len,
-				REC_VERSION_56_MAX_INDEX_COL_LEN);
-
+			ut_ad(blob_data || (blob_data == nullptr && true_len == 0));
+			if (blob_data) {
+				memcpy(sorted, blob_data, true_len);
+			
+				true_len = wsrep_innobase_mysql_sort(
+					mysql_type, cs->number, sorted, true_len,
+					REC_VERSION_56_MAX_INDEX_COL_LEN);
+			}
 
 			/* Note that we always reserve the maximum possible
 			length of the BLOB prefix in the key value. */
@@ -6926,10 +6934,15 @@ wsrep_store_key_val_for_row(
 								cs->mbmaxlen),
 							&error);
 				}
-				memcpy(sorted, src_start, true_len);
-				true_len = wsrep_innobase_mysql_sort(
-					mysql_type, cs->number, sorted, true_len,
-					REC_VERSION_56_MAX_INDEX_COL_LEN);
+
+				ut_ad(src_start || (src_start == nullptr && true_len == 0));
+				if (src_start) {
+					memcpy(sorted, src_start, true_len);
+
+					true_len = wsrep_innobase_mysql_sort(
+						mysql_type, cs->number, sorted, true_len,
+						REC_VERSION_56_MAX_INDEX_COL_LEN);
+				}
 
 				if (true_len > buff_space) {
 					fprintf (stderr,
@@ -6939,7 +6952,10 @@ wsrep_store_key_val_for_row(
 				}
 				memcpy(buff, sorted, true_len);
 			} else {
-				memcpy(buff, src_start, true_len);
+				ut_ad(src_start || (src_start == nullptr && true_len == 0));
+				if (src_start) {
+					memcpy(buff, src_start, true_len);
+				}
 			}
 			buff       += true_len;
 			buff_space -= true_len;
