From 9a60e89a907618eed1cabc63843fd983baa17fb7 Mon Sep 17 00:00:00 2001 From: Monty Date: Mon, 14 Dec 2020 15:27:07 +0200 Subject: [PATCH] Fixed some possible usage of freed memory - Create_tmp_table::finalize didn't clear file after delete which could cause a double free. This is however not a likely problem as this code path is very unlikely to happen - free_tmp_table() could do handler calls even if the table was never opened. Fixed by adding a test if the table is opened. --- sql/sql_select.cc | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 5422346884d..812917df3ad 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -18675,6 +18675,7 @@ bool Create_tmp_table::finalize(THD *thd, if (table->file->set_ha_share_ref(&share->ha_share)) { delete table->file; + table->file= 0; goto err; } table->file->set_table(table); @@ -19913,11 +19914,14 @@ free_tmp_table(THD *thd, TABLE *entry) if (entry->file && entry->is_created()) { - DBUG_ASSERT(entry->db_stat); - entry->file->ha_index_or_rnd_end(); - entry->file->info(HA_STATUS_VARIABLE); - thd->tmp_tables_size+= (entry->file->stats.data_file_length + - entry->file->stats.index_file_length); + if (entry->db_stat) + { + /* The table was properly opened in open_tmp_table() */ + entry->file->ha_index_or_rnd_end(); + entry->file->info(HA_STATUS_VARIABLE); + thd->tmp_tables_size+= (entry->file->stats.data_file_length + + entry->file->stats.index_file_length); + } entry->file->ha_drop_table(entry->s->path.str); delete entry->file; }