MDEV-28129: MariaDB UAF issue at lex_end_nops(LEX*)

This bug report is not about ASAN Use After Free issue. This bug is about missed calling of the method LEX::cleanup_lex_after_parse_error that should happen on parse error. Aforementioned method calls sphead::restore_thd_mem_root to clean up resources acquired on processing a stored routine. Particularly, the method sp_head::restore_tht_mem_root is called to restore an original mem root and reset LEX::sphead into nullptr. The method LEX::cleanup_lex_after_parse_error is invoked by the macros MYSQL_YYABORT. Unfortunately, some rules of grammar for handling user variables in SQL use YYABORT instead of MYSQL_YYABORT to handle parser errors. As a consequence, in case a statement with setting of a user variable is called inside a stored routine, it results in assert failure in sp_head destructor. To fix the issue the macros YYABORT should be replaced by MYSQL_YYABORT in those grammar rules that handle assignment of user variables.
2025-07-29 05:21:33 +03:00 · 2022-04-04 14:32:16 +07:00
parent d48774e0e0
commit cd56b40f6d
3 changed files with 35 additions and 6 deletions
--- a/mysql-test/main/sp.test
+++ b/mysql-test/main/sp.test
@ -10484,3 +10484,20 @@ DELIMITER ;$$
 --echo #
 --echo # End of 10.4 tests
 --echo #
+
+--echo #
+--echo # MDEV-28129: MariaDB UAF issue at lex_end_nops(LEX*)
+--echo #
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE sp() SELECT 1 INTO @;
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE sp() SET @=1;
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE sp() SELECT @;
+
+--echo #
+--echo # End of 10.7 tests
+--echo #