database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug#42188: crash and/or memory corruption with user variables

Browse Source 
in trigger

Interchangeable calls to the mysql_change_user client function
and invocations of a trigger changing some user variable caused
a memory corruption and a crash.

The mysql_change_user API call forces TDH::cleanup() on a server
that frees user variable entries.
However it didn't reset Item_func_set_user_var::entry to NULL
because Item_func_set_user_var::cleanup() was not overloaded.
So, Item_func_set_user_var::entry held a pointer to freed memory,
that caused a crash.

The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.


mysql-test/r/user_var.result:
  Added test case for bug #42188.
mysql-test/t/user_var.test:
  Added test case for bug #42188.
sql/item_func.cc:
  Bug#42188: crash and/or memory corruption with user variables
             in trigger
  
  The Item_func_set_user_var::cleanup method has been overloaded
  to cleanup the Item_func_set_user_var::entry field.
sql/item_func.h:
  Bug#42188: crash and/or memory corruption with user variables
             in trigger
  
  The Item_func_set_user_var::cleanup method has been overloaded
  to cleanup the Item_func_set_user_var::entry field.
This commit is contained in:
Gleb Shchepa
2009-01-23 22:18:02 +04:00
parent db337eb8d8
commit 93991b6be9
4 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
mysql-test/r/user_var.result
View File

@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid := id from t1;
0 3 3
1 3 4
drop table t1;
CREATE TABLE t1 (i INT);
CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
INSERT INTO t1 VALUES (1);
INSERT INTO t1 VALUES (1);
DROP TABLE t1;
End of 5.1 tests

11
mysql-test/t/user_var.test
View File

@ -285,4 +285,15 @@ set @lastid=-1;
select @lastid != id, @lastid, @lastid := id from t1;
drop table t1;
#
# Bug#42188: crash and/or memory corruption with user variables in trigger
#
CREATE TABLE t1 (i INT);
CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
INSERT INTO t1 VALUES (1);
--change_user
INSERT INTO t1 VALUES (1);
DROP TABLE t1;
--echo End of 5.1 tests

7
sql/item_func.cc
View File

@ -3808,6 +3808,13 @@ static user_var_entry *get_variable(HASH *hash, LEX_STRING &name,
}
void Item_func_set_user_var::cleanup()
{
Item_func::cleanup();
entry= NULL;
}
bool Item_func_set_user_var::set_entry(THD *thd, bool create_if_not_exists)
{
if (entry && thd->thread_id == entry_thread_id)

1
sql/item_func.h
View File

@ -1357,6 +1357,7 @@ public:
void save_org_in_field(Field *field) { (void)save_in_field(field, 1, 0); }
bool register_field_in_read_map(uchar *arg);
bool set_entry(THD *thd, bool create_if_not_exists);
void cleanup();
};