Bug#37956 memory leak and / or crash with geometry and prepared statements!

Bug#37671 crash on prepared statement + cursor + geometry + too many open files! if mysql_execute_command() returns error then free materialized_cursor object. is_rnd_inited is added to satisfy rnd_end() assertion (handler may be uninitialized in some cases) sql/sql_cursor.cc: if mysql_execute_command() returns error then free materialized_cursor object. is_rnd_inited is added to satisfy rnd_end() assertion (handler may be uninitialized in some cases) sql/sql_select.cc: added result check tests/mysql_client_test.c: test case
2025-07-30 16:24:05 +03:00 · 2008-12-10 18:13:11 +04:00
parent a6be137556
commit 84de3b930b
3 changed files with 72 additions and 7 deletions
--- a/sql/sql_cursor.cc
+++ b/sql/sql_cursor.cc
@ -85,6 +85,7 @@ class Materialized_cursor: public Server_side_cursor
  List<Item> item_list;
  ulong fetch_limit;
  ulong fetch_count;
+  bool is_rnd_inited;
 public:
  Materialized_cursor(select_result *result, TABLE *table);

@ -191,7 +192,11 @@ int mysql_open_cursor(THD *thd, uint flags, select_result *result,
      such command is SHOW VARIABLES or SHOW STATUS.
  */
  if (rc)
+  {
+    if (result_materialize->materialized_cursor)
+      delete result_materialize->materialized_cursor;
    goto err_open;
+  }

  if (sensitive_cursor->is_open())
  {
@ -532,7 +537,8 @@ Materialized_cursor::Materialized_cursor(select_result *result_arg,
  :Server_side_cursor(&table_arg->mem_root, result_arg),
  table(table_arg),
  fetch_limit(0),
-  fetch_count(0)
+  fetch_count(0),
+  is_rnd_inited(0)
 {
  fake_unit.init_query();
  fake_unit.thd= table->in_use;
@ -589,11 +595,12 @@ int Materialized_cursor::open(JOIN *join __attribute__((unused)))
  THD *thd= fake_unit.thd;
  int rc;
  Query_arena backup_arena;
-
  thd->set_n_backup_active_arena(this, &backup_arena);
  /* Create a list of fields and start sequential scan */
-  rc= (result->prepare(item_list, &fake_unit) ||
-       table->file->ha_rnd_init(TRUE));
+  rc= result->prepare(item_list, &fake_unit);
+  if (!rc && !(rc= table->file->ha_rnd_init(TRUE)))
+    is_rnd_inited= 1;
+
  thd->restore_active_arena(this, &backup_arena);
  if (rc == 0)
  {
@ -673,7 +680,8 @@ void Materialized_cursor::close()
 {
  /* Free item_list items */
  free_items();
-  (void) table->file->ha_rnd_end();
+  if (is_rnd_inited)
+    (void) table->file->ha_rnd_end();
  /*
    We need to grab table->mem_root to prevent free_tmp_table from freeing:
    the cursor object was allocated in this memory.