mirror of
https://github.com/MariaDB/server.git
synced 2025-07-04 01:23:45 +03:00
MDEV-18083 ASAN heap-use-after-free in Field::set_warning_truncated_wrong_value upon inserting into temporary table
remove TABLE_SHARE::error_table_name() and TABLE_SHARE::orig_table_name (that was allocated in a wrong memroot in this bug). instead, simply set TABLE_SHARE::table_name correctly.
This commit is contained in:
Sergei Golubchik
@ -27,3 +27,9 @@ t2 CREATE TEMPORARY TABLE `t2` (
|
|||||||
`a` int(11) DEFAULT NULL,
|
`a` int(11) DEFAULT NULL,
|
||||||
`v` int(11) GENERATED ALWAYS AS (`a`) VIRTUAL
|
`v` int(11) GENERATED ALWAYS AS (`a`) VIRTUAL
|
||||||
) ENGINE=MyISAM DEFAULT CHARSET=latin1
|
) ENGINE=MyISAM DEFAULT CHARSET=latin1
|
||||||
|
drop temporary table t1, t2;
|
||||||
|
create temporary table t1 (a int);
|
||||||
|
alter table t1 add column f text;
|
||||||
|
insert into t1 values ('x','foo');
|
||||||
|
ERROR 22007: Incorrect integer value: 'x' for column `test`.`t1`.`a` at row 1
|
||||||
|
drop temporary table t1;
|
||||||
|
|||||||
@ -19,3 +19,13 @@ lock table t2 write;
|
|||||||
--error ER_ALTER_OPERATION_NOT_SUPPORTED
|
--error ER_ALTER_OPERATION_NOT_SUPPORTED
|
||||||
alter table t2 change column a b int, algorithm=inplace;
|
alter table t2 change column a b int, algorithm=inplace;
|
||||||
show create table t2;
|
show create table t2;
|
||||||
|
drop temporary table t1, t2;
|
||||||
|
|
||||||
|
#
|
||||||
|
# MDEV-18083 ASAN heap-use-after-free in Field::set_warning_truncated_wrong_value upon inserting into temporary table
|
||||||
|
#
|
||||||
|
create temporary table t1 (a int);
|
||||||
|
alter table t1 add column f text;
|
||||||
|
--error ER_TRUNCATED_WRONG_VALUE_FOR_FIELD
|
||||||
|
insert into t1 values ('x','foo');
|
||||||
|
drop temporary table t1;
|
||||||
|
|||||||
@ -8635,7 +8635,7 @@ int Field_geom::store(const char *from, uint length, CHARSET_INFO *cs)
|
|||||||
(uint32) geom_type != wkb_type)
|
(uint32) geom_type != wkb_type)
|
||||||
{
|
{
|
||||||
const char *db= table->s->db.str;
|
const char *db= table->s->db.str;
|
||||||
const char *tab_name= table->s->error_table_name();
|
const char *tab_name= table->s->table_name.str;
|
||||||
|
|
||||||
if (!db)
|
if (!db)
|
||||||
db= "";
|
db= "";
|
||||||
@ -10821,7 +10821,7 @@ void Field::set_warning_truncated_wrong_value(const char *type_arg,
|
|||||||
{
|
{
|
||||||
THD *thd= get_thd();
|
THD *thd= get_thd();
|
||||||
const char *db_name= table->s->db.str;
|
const char *db_name= table->s->db.str;
|
||||||
const char *table_name= table->s->error_table_name();
|
const char *table_name= table->s->table_name.str;
|
||||||
|
|
||||||
if (!db_name)
|
if (!db_name)
|
||||||
db_name= "";
|
db_name= "";
|
||||||
|
|||||||
@ -16753,7 +16753,7 @@ create_tmp_table(THD *thd, TMP_TABLE_PARAM *param, List<Item> &fields,
|
|||||||
table->no_rows_with_nulls= param->force_not_null_cols;
|
table->no_rows_with_nulls= param->force_not_null_cols;
|
||||||
|
|
||||||
table->s= share;
|
table->s= share;
|
||||||
init_tmp_table_share(thd, share, "", 0, tmpname, tmpname);
|
init_tmp_table_share(thd, share, "", 0, "(temporary)", tmpname);
|
||||||
share->blob_field= blob_field;
|
share->blob_field= blob_field;
|
||||||
share->table_charset= param->table_charset;
|
share->table_charset= param->table_charset;
|
||||||
share->primary_key= MAX_KEY; // Indicate no primary key
|
share->primary_key= MAX_KEY; // Indicate no primary key
|
||||||
@ -17539,7 +17539,7 @@ bool Virtual_tmp_table::open()
|
|||||||
bool open_tmp_table(TABLE *table)
|
bool open_tmp_table(TABLE *table)
|
||||||
{
|
{
|
||||||
int error;
|
int error;
|
||||||
if ((error= table->file->ha_open(table, table->s->table_name.str, O_RDWR,
|
if ((error= table->file->ha_open(table, table->s->path.str, O_RDWR,
|
||||||
HA_OPEN_TMP_TABLE |
|
HA_OPEN_TMP_TABLE |
|
||||||
HA_OPEN_INTERNAL_TABLE)))
|
HA_OPEN_INTERNAL_TABLE)))
|
||||||
{
|
{
|
||||||
@ -17735,13 +17735,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((error= maria_create(share->table_name.str,
|
if ((error= maria_create(share->path.str, file_type, share->keys, &keydef,
|
||||||
file_type,
|
(uint) (*recinfo-start_recinfo), start_recinfo,
|
||||||
share->keys, &keydef,
|
share->uniques, &uniquedef, &create_info,
|
||||||
(uint) (*recinfo-start_recinfo),
|
|
||||||
start_recinfo,
|
|
||||||
share->uniques, &uniquedef,
|
|
||||||
&create_info,
|
|
||||||
create_flags)))
|
create_flags)))
|
||||||
{
|
{
|
||||||
table->file->print_error(error,MYF(0)); /* purecov: inspected */
|
table->file->print_error(error,MYF(0)); /* purecov: inspected */
|
||||||
@ -17891,11 +17887,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
|
|||||||
bzero((char*) &create_info,sizeof(create_info));
|
bzero((char*) &create_info,sizeof(create_info));
|
||||||
create_info.data_file_length= table->in_use->variables.tmp_disk_table_size;
|
create_info.data_file_length= table->in_use->variables.tmp_disk_table_size;
|
||||||
|
|
||||||
if ((error=mi_create(share->table_name.str, share->keys, &keydef,
|
if ((error=mi_create(share->path.str, share->keys, &keydef,
|
||||||
(uint) (*recinfo-start_recinfo),
|
(uint) (*recinfo-start_recinfo), start_recinfo,
|
||||||
start_recinfo,
|
share->uniques, &uniquedef, &create_info,
|
||||||
share->uniques, &uniquedef,
|
|
||||||
&create_info,
|
|
||||||
HA_CREATE_TMP_TABLE | HA_CREATE_INTERNAL_TABLE |
|
HA_CREATE_TMP_TABLE | HA_CREATE_INTERNAL_TABLE |
|
||||||
((share->db_create_options & HA_OPTION_PACK_RECORD) ?
|
((share->db_create_options & HA_OPTION_PACK_RECORD) ?
|
||||||
HA_PACK_RECORD : 0)
|
HA_PACK_RECORD : 0)
|
||||||
@ -18049,7 +18043,7 @@ err_killed:
|
|||||||
(void) table->file->ha_rnd_end();
|
(void) table->file->ha_rnd_end();
|
||||||
(void) new_table.file->ha_close();
|
(void) new_table.file->ha_close();
|
||||||
err1:
|
err1:
|
||||||
new_table.file->ha_delete_table(new_table.s->table_name.str);
|
new_table.file->ha_delete_table(new_table.s->path.str);
|
||||||
err2:
|
err2:
|
||||||
delete new_table.file;
|
delete new_table.file;
|
||||||
thd_proc_info(thd, save_proc_info);
|
thd_proc_info(thd, save_proc_info);
|
||||||
@ -18074,9 +18068,9 @@ free_tmp_table(THD *thd, TABLE *entry)
|
|||||||
{
|
{
|
||||||
entry->file->ha_index_or_rnd_end();
|
entry->file->ha_index_or_rnd_end();
|
||||||
if (entry->db_stat)
|
if (entry->db_stat)
|
||||||
entry->file->ha_drop_table(entry->s->table_name.str);
|
entry->file->ha_drop_table(entry->s->path.str);
|
||||||
else
|
else
|
||||||
entry->file->ha_delete_table(entry->s->table_name.str);
|
entry->file->ha_delete_table(entry->s->path.str);
|
||||||
delete entry->file;
|
delete entry->file;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -9440,7 +9440,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
|
|||||||
goto err_new_table_cleanup;
|
goto err_new_table_cleanup;
|
||||||
|
|
||||||
if (ha_create_table(thd, alter_ctx.get_tmp_path(),
|
if (ha_create_table(thd, alter_ctx.get_tmp_path(),
|
||||||
alter_ctx.new_db, alter_ctx.tmp_name,
|
alter_ctx.new_db, alter_ctx.new_name,
|
||||||
create_info, &frm))
|
create_info, &frm))
|
||||||
goto err_new_table_cleanup;
|
goto err_new_table_cleanup;
|
||||||
|
|
||||||
@ -9449,7 +9449,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
|
|||||||
|
|
||||||
new_table=
|
new_table=
|
||||||
thd->create_and_open_tmp_table(new_db_type, &frm, alter_ctx.get_tmp_path(),
|
thd->create_and_open_tmp_table(new_db_type, &frm, alter_ctx.get_tmp_path(),
|
||||||
alter_ctx.new_db, alter_ctx.tmp_name, true);
|
alter_ctx.new_db, alter_ctx.new_name, true);
|
||||||
if (!new_table)
|
if (!new_table)
|
||||||
goto err_new_table_cleanup;
|
goto err_new_table_cleanup;
|
||||||
|
|
||||||
@ -9511,7 +9511,6 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
|
|||||||
goto err_new_table_cleanup;
|
goto err_new_table_cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
new_table->s->orig_table_name= table->s->table_name.str;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Note: In case of MERGE table, we do not attach children. We do not
|
Note: In case of MERGE table, we do not attach children. We do not
|
||||||
|
|||||||
@ -880,7 +880,7 @@ void make_truncated_value_warning(THD *thd,
|
|||||||
if (field_name)
|
if (field_name)
|
||||||
{
|
{
|
||||||
const char *db_name= s->db.str;
|
const char *db_name= s->db.str;
|
||||||
const char *table_name= s->error_table_name();
|
const char *table_name= s->table_name.str;
|
||||||
|
|
||||||
if (!db_name)
|
if (!db_name)
|
||||||
db_name= "";
|
db_name= "";
|
||||||
|
|||||||
@ -5182,7 +5182,7 @@ int TABLE::verify_constraints(bool ignore_failure)
|
|||||||
field_error.append((*chk)->name.str);
|
field_error.append((*chk)->name.str);
|
||||||
my_error(ER_CONSTRAINT_FAILED,
|
my_error(ER_CONSTRAINT_FAILED,
|
||||||
MYF(ignore_failure ? ME_JUST_WARNING : 0), field_error.c_ptr(),
|
MYF(ignore_failure ? ME_JUST_WARNING : 0), field_error.c_ptr(),
|
||||||
s->db.str, s->error_table_name());
|
s->db.str, s->table_name.str);
|
||||||
return ignore_failure ? VIEW_CHECK_SKIP : VIEW_CHECK_ERROR;
|
return ignore_failure ? VIEW_CHECK_SKIP : VIEW_CHECK_ERROR;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
10
sql/table.h
10
sql/table.h
@ -625,16 +625,6 @@ struct TABLE_SHARE
|
|||||||
LEX_STRING normalized_path; /* unpack_filename(path) */
|
LEX_STRING normalized_path; /* unpack_filename(path) */
|
||||||
LEX_STRING connect_string;
|
LEX_STRING connect_string;
|
||||||
|
|
||||||
const char* orig_table_name; /* Original table name for this tmp table */
|
|
||||||
const char* error_table_name() const /* Get table name for error messages */
|
|
||||||
{
|
|
||||||
return tmp_table ? (
|
|
||||||
orig_table_name ?
|
|
||||||
orig_table_name :
|
|
||||||
"(temporary)") :
|
|
||||||
table_name.str;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Set of keys in use, implemented as a Bitmap.
|
Set of keys in use, implemented as a Bitmap.
|
||||||
Excludes keys disabled by ALTER TABLE ... DISABLE KEYS.
|
Excludes keys disabled by ALTER TABLE ... DISABLE KEYS.
|
||||||
|
|||||||
Reference in New Issue
Block a user