database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-16699 heap-use-after-free in group_concat with compressed or GIS columns

Browse Source 
Field_blob::store() has special code for GROUP_CONCAT temporary table
(to store blob values in Blob_mem_storage - this prevents them
from being freed/overwritten when a next row is read).

Field_geom and Field_blob_compressed inherit from Field_blob but they
have their own ::store() method without this special Blob_mem_storage
support.

Considering that non-grouping CONCAT() of such fields converts
them to plain BLOB, let's do the same for GROUP_CONCAT. To do it,
Item_func_group_concat::setup will signal that it's creating
a temporary table for GROUP_CONCAT, and Field_blog::make_new_field()
override will create base Field_blob when under group concat.
This commit is contained in:
Sergei Golubchik
2024-08-31 23:57:33 +02:00
parent 65418ca9ad
commit 3ea71a2c8e
11 changed files with 89 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sql/sql_insert.cc
View File

@ -4509,12 +4509,9 @@ TABLE *select_create::create_table_from_items(THD *thd, List<Item> *items,
bool save_table_creation_was_logged;
DBUG_ENTER("select_create::create_table_from_items");
tmp_table.reset();
tmp_table.s= &share;
init_tmp_table_share(thd, &share, "", 0, "", "");
tmp_table.s->db_create_options=0;
tmp_table.null_row= 0;
tmp_table.maybe_null= 0;
tmp_table.in_use= thd;
if (!(thd->variables.option_bits & OPTION_EXPLICIT_DEF_TIMESTAMP))