database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

Bug#42188: crash and/or memory corruption with user variables

Browse Source 
in trigger

Interchangeable calls to the mysql_change_user client function
and invocations of a trigger changing some user variable caused
a memory corruption and a crash.

The mysql_change_user API call forces TDH::cleanup() on a server
that frees user variable entries.
However it didn't reset Item_func_set_user_var::entry to NULL
because Item_func_set_user_var::cleanup() was not overloaded.
So, Item_func_set_user_var::entry held a pointer to freed memory,
that caused a crash.

The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.
This commit is contained in:
Gleb Shchepa
2009-01-23 22:18:02 +04:00
parent a27a91ca7a
commit 33a09cdcc8
4 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
mysql-test/r/user_var.result
View File

@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid := id from t1;
0 3 3
1 3 4
drop table t1;
CREATE TABLE t1 (i INT);
CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
INSERT INTO t1 VALUES (1);
INSERT INTO t1 VALUES (1);
DROP TABLE t1;
End of 5.1 tests