Commit 08d1de2c authored by unknown's avatar unknown
Browse files

mem0pool.c: 

  Fix a memory corruption bug: in 32-bit computers, every 4 billionth malloc outside innodb_additional_mem_pool_size was mistreated when freeing the memory; this could corrupt the InnoDB additional mem pool and could have caused crashes anywhere, also inside MySQL, or even database corruption! the bug exists also in 3.23 and 4.1; workaround: configure innodb_additional_mem_pool_size big enough


innobase/mem/mem0pool.c:
  Fix a memory corruption bug: in 32-bit computers, every 4 billionth malloc outside innodb_additional_mem_pool_size was mistreated when freeing the memory; this could corrupt the InnoDB additional mem pool and could have caused crashes anywhere, also inside MySQL, or even database corruption! the bug exists also in 3.23 and 4.1; workaround: configure innodb_additional_mem_pool_size big enough
parent d4f6c7a4

innobase/mem/mem0pool.c

+5 −13
Original line number Diff line number Diff line
@@ -97,8 +97,6 @@ struct mem_pool_struct{ 
/* The common memory pool */

mem_pool_t*	mem_comm_pool	= NULL;



ulint		mem_out_of_mem_err_msg_count	= 0;



/* We use this counter to check that the mem pool mutex does not leak;

this is to track a strange assertion failure reported at

mysql@lists.mysql.com */
@@ -267,8 +265,6 @@ mem_pool_fill_free_list( 
		/* We come here when we have run out of space in the

		memory pool: */

     

		mem_out_of_mem_err_msg_count++;

     

		return(FALSE);

	}
@@ -460,18 +456,14 @@ mem_area_free( 
	ulint		size;

	ulint		n;

	

	if (mem_out_of_mem_err_msg_count > 0) {

		/* It may be that the area was really allocated from the

		OS with regular malloc: check if ptr points within

		our memory pool */

	/* It may be that the area was really allocated from the OS with

	regular malloc: check if ptr points within our memory pool */



		if ((byte*)ptr < pool->buf

				|| (byte*)ptr >= pool->buf + pool->size) {

	if ((byte*)ptr < pool->buf || (byte*)ptr >= pool->buf + pool->size) {

		ut_free(ptr);



		return;

	}

	}



	area = (mem_area_t*) (((byte*)ptr) - MEM_AREA_EXTRA_SIZE);