BUG#31360522 : >=5.6.36 SOME RANGE QUERIES STILL CRASH...

DESCRIPTION:
============
Certain range queries on a table with index prefixed
BLOB/TEXT columns could lead to a server exit.

ANALYSIS:
=========
While opening the table based on its table share, in
open_table_from_share(), we create a copy of the key_info
from TABLE_SHARE object to TABLE object. If the key is
prefixed, we allocate a new Field object, having its
field_length set to the prefix key length, and point the
table's matching key_part->field to this new Field object.
We skip creating the new Field object for prefixed BLOB
columns.

A secondary key is extended by adding primary key parts to
it if the primary key part does not exist in the secondary
key or the key part in the secondary key is a prefix of the
key field (add_pk_parts_to_sk()). The consequence of
skipping the creation of new Field object for prefixed BLOB
columns is that the key parts from the secondary key and
primary key will be pointing to the same Field object.

Later, while performing end-range scan, we check if the key
is within range (compare_key_in_buffer()). We change the
offsets of all the fields in the key range to make the
fields point to the record buffer
(move_key_field_offsets()). In case of BLOBs, we end up
moving the same field twice in move_key_field_offsets().
This leads to accessing out of bound memory while performing
key comparison.

FIX:
====
We allow creating new Field object even for BLOB columns in
open_table_from_share().

Note:
=====
This issue is not a regression but rather was exposed in
5.6.36 by the patch for Bug#23481444: OPTIMISER CALL
ROW_SEARCH_MVCC() AND READ THE INDEX APPLIED BY UNCOMMITTED
ROWS.

Change-Id: I407dec8a997de2c51ebf62351351288beb7dde5e

Author: karthik-kamath

sql/sql_partition.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2005, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2005, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -834,6 +834,12 @@ static bool handle_list_of_fields(List_iterator<char> it,
       for (i= 0; i < num_key_parts; i++)
       {
         Field *field= table->key_info[primary_key].key_part[i].field;
+        // BLOB/TEXT columns are not allowed in partitioning keys.
+        if (field->flags & BLOB_FLAG)
+        {
+          my_error(ER_BLOB_FIELD_IN_PART_FUNC_ERROR, MYF(0));
+          DBUG_RETURN(TRUE);
+        }
         field->flags|= GET_FIXED_FIELDS_FLAG;
       }
     }

sql/table.cc

@@ -3241,8 +3241,15 @@ int open_table_from_share(THD *thd, TABLE_SHARE *share, const char *alias,
       {
         Field *field= key_part->field= outparam->field[key_part->fieldnr-1];
 
+        /*
+          For spatial indexes, the key parts are assigned the length (4 *
+          sizeof(double)) in mysql_prepare_create_table() and the
+          field->key_length() is set to 0. This makes it appear like a prefixed
+          index. However, prefixed indexes are not allowed on Geometric columns.
+          Hence skipping new field creation for Geometric columns.
+        */
         if (field->key_length() != key_part->length &&
-            !(field->flags & BLOB_FLAG))
+            field->type() != MYSQL_TYPE_GEOMETRY)
         {
           /*
             We are using only a prefix of the column as a key: