1
0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00

MDEV-21341: Fix UBSAN failures: Issue Six

(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 version of the fix, with handling for class sp_package)

sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.

Fixed by providing static sp_head::create() and sp_head::destroy() methods.
This commit is contained in:
Sergei Petrunia
2020-01-12 22:15:55 +03:00
parent 9c3eca8514
commit d531b4ee3a
9 changed files with 71 additions and 55 deletions

View File

@ -793,7 +793,7 @@ void lex_end_stage1(LEX *lex)
}
else
{
delete lex->sphead;
sp_head::destroy(lex->sphead);
lex->sphead= NULL;
}
@ -3049,13 +3049,13 @@ void LEX::cleanup_lex_after_parse_error(THD *thd)
DBUG_ASSERT(pkg == pkg->m_top_level_lex->sphead);
pkg->restore_thd_mem_root(thd);
LEX *top= pkg->m_top_level_lex;
delete pkg;
sp_package::destroy(pkg);
thd->lex= top;
thd->lex->sphead= NULL;
}
else
{
delete thd->lex->sphead;
sp_head::destroy(thd->lex->sphead);
thd->lex->sphead= NULL;
}
}
@ -6190,7 +6190,7 @@ sp_head *LEX::make_sp_head(THD *thd, const sp_name *name,
sp_head *sp;
/* Order is important here: new - reset - init */
if (likely((sp= new sp_head(package, sph))))
if (likely((sp= sp_head::create(package, sph))))
{
sp->reset_thd_mem_root(thd);
sp->init(this);
@ -7829,7 +7829,7 @@ sp_package *LEX::create_package_start(THD *thd,
return 0;
}
}
if (unlikely(!(pkg= new sp_package(this, name_arg, sph))))
if (unlikely(!(pkg= sp_package::create(this, name_arg, sph))))
return NULL;
pkg->reset_thd_mem_root(thd);
pkg->init(this);