mirror of
https://github.com/MariaDB/server.git
synced 2025-10-22 19:52:58 +03:00
These changes are submitted under the BSD 3-clause License. The original ticket describes a server crash when using a UDF in the WHERE clause of a view. The crash also happens when using a UDF in the WHERE clause of a SELECT that uses a sub-query in the FROM clause. When the UDF does not have a _deinit function the server crashes in udf_handler::cleanup (sql/item_func.cc:3467). When the UDF has both an _init and a _deinit function but _init does not allocate memory for initid->ptr the server crashes in udf_handler::cleanup (sql/item_func.cc:3467). When the UDF has both an _init and a _deinit function and allocates/deallocates memory for initid->ptr the server crashes in the memory deallocation of the _deinit function. The sequence of events seen are: 1. A UDF, U, is created for the query. 2. The UDF _init function is called using U->initid. 3. U is cloned for the sub-query using the [default|implicit] copy constructor, resulting in V. 4. The UDF _init function is called using V->initid. U->initid and V->initid are the same value. 5. The UDF function is called. 6. The UDF _deinit function is called using U->initid. If any memory was allocated for initid->ptr it is deallocated here. 7. udf_handler::cleanup deletes the U->buffers String array. 8. The UDF _deinit function is called using V->initid. If any memory was allocated for initid->ptr it was previously deallocated and _deinit crashes the server. 9. udf_handler::cleanup deletes the V->buffers String array. V->buffers was the same values as U->buffers which was already deallocated. The server crashes. The solution is to create a[n explicit] copy constructor for udf_handler which sets not_original to true. Later, not_original is set back to false (0) after udf_handler::fix_fields has set up a new value for initid->ptr.
184 lines
4.7 KiB
C++
184 lines
4.7 KiB
C++
#ifndef SQL_UDF_INCLUDED
|
|
#define SQL_UDF_INCLUDED
|
|
|
|
/* Copyright (c) 2000, 2003-2007 MySQL AB, 2009 Sun Microsystems, Inc.
|
|
Use is subject to license terms.
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; version 2 of the License.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
|
|
|
|
|
|
/* This file defines structures needed by udf functions */
|
|
|
|
#ifdef USE_PRAGMA_INTERFACE
|
|
#pragma interface
|
|
#endif
|
|
|
|
enum Item_udftype {UDFTYPE_FUNCTION=1,UDFTYPE_AGGREGATE};
|
|
|
|
typedef void (*Udf_func_clear)(UDF_INIT *, uchar *, uchar *);
|
|
typedef void (*Udf_func_add)(UDF_INIT *, UDF_ARGS *, uchar *, uchar *);
|
|
typedef void (*Udf_func_deinit)(UDF_INIT*);
|
|
typedef my_bool (*Udf_func_init)(UDF_INIT *, UDF_ARGS *, char *);
|
|
typedef void (*Udf_func_any)();
|
|
typedef double (*Udf_func_double)(UDF_INIT *, UDF_ARGS *, uchar *, uchar *);
|
|
typedef longlong (*Udf_func_longlong)(UDF_INIT *, UDF_ARGS *, uchar *,
|
|
uchar *);
|
|
|
|
typedef struct st_udf_func
|
|
{
|
|
LEX_CSTRING name;
|
|
Item_result returns;
|
|
Item_udftype type;
|
|
const char *dl;
|
|
void *dlhandle;
|
|
Udf_func_any func;
|
|
Udf_func_init func_init;
|
|
Udf_func_deinit func_deinit;
|
|
Udf_func_clear func_clear;
|
|
Udf_func_add func_add;
|
|
Udf_func_add func_remove;
|
|
ulong usage_count;
|
|
} udf_func;
|
|
|
|
class Item_result_field;
|
|
|
|
class udf_handler :public Sql_alloc
|
|
{
|
|
protected:
|
|
udf_func *u_d;
|
|
String *buffers;
|
|
UDF_ARGS f_args;
|
|
UDF_INIT initid;
|
|
char *num_buffer;
|
|
uchar error, is_null;
|
|
bool initialized;
|
|
Item **args;
|
|
|
|
public:
|
|
bool not_original;
|
|
udf_handler(udf_func *udf_arg) :u_d(udf_arg), buffers(0), error(0),
|
|
is_null(0), initialized(0), not_original(0)
|
|
{}
|
|
~udf_handler();
|
|
const char *name() const { return u_d ? u_d->name.str : "?"; }
|
|
Item_result result_type () const
|
|
{ return u_d ? u_d->returns : STRING_RESULT;}
|
|
bool get_arguments();
|
|
bool fix_fields(THD *thd, Item_func_or_sum *item,
|
|
uint arg_count, Item **args);
|
|
void cleanup();
|
|
double val(my_bool *null_value)
|
|
{
|
|
is_null= 0;
|
|
if (get_arguments())
|
|
{
|
|
*null_value=1;
|
|
return 0.0;
|
|
}
|
|
Udf_func_double func= (Udf_func_double) u_d->func;
|
|
double tmp=func(&initid, &f_args, &is_null, &error);
|
|
if (is_null || error)
|
|
{
|
|
*null_value=1;
|
|
return 0.0;
|
|
}
|
|
*null_value=0;
|
|
return tmp;
|
|
}
|
|
longlong val_int(my_bool *null_value)
|
|
{
|
|
is_null= 0;
|
|
if (get_arguments())
|
|
{
|
|
*null_value=1;
|
|
return 0;
|
|
}
|
|
Udf_func_longlong func= (Udf_func_longlong) u_d->func;
|
|
longlong tmp=func(&initid, &f_args, &is_null, &error);
|
|
if (is_null || error)
|
|
{
|
|
*null_value=1;
|
|
return 0;
|
|
}
|
|
*null_value=0;
|
|
return tmp;
|
|
}
|
|
my_decimal *val_decimal(my_bool *null_value, my_decimal *dec_buf);
|
|
void clear()
|
|
{
|
|
is_null= 0;
|
|
Udf_func_clear func= u_d->func_clear;
|
|
func(&initid, &is_null, &error);
|
|
}
|
|
void add(my_bool *null_value)
|
|
{
|
|
if (get_arguments())
|
|
{
|
|
*null_value=1;
|
|
return;
|
|
}
|
|
Udf_func_add func= u_d->func_add;
|
|
func(&initid, &f_args, &is_null, &error);
|
|
*null_value= (my_bool) (is_null || error);
|
|
}
|
|
bool supports_removal() const
|
|
{ return MY_TEST(u_d->func_remove); }
|
|
void remove(my_bool *null_value)
|
|
{
|
|
DBUG_ASSERT(u_d->func_remove);
|
|
if (get_arguments())
|
|
{
|
|
*null_value=1;
|
|
return;
|
|
}
|
|
Udf_func_add func= u_d->func_remove;
|
|
func(&initid, &f_args, &is_null, &error);
|
|
*null_value= (my_bool) (is_null || error);
|
|
}
|
|
String *val_str(String *str,String *save_str);
|
|
|
|
udf_handler(const udf_handler &orig)
|
|
{
|
|
u_d = orig.u_d;
|
|
buffers = orig.buffers;
|
|
f_args = orig.f_args;
|
|
initid = orig.initid;
|
|
num_buffer = orig.num_buffer;
|
|
error = orig.error;
|
|
is_null = orig.is_null;
|
|
initialized = orig.initialized;
|
|
args = orig.args;
|
|
not_original = true;
|
|
}
|
|
};
|
|
|
|
|
|
#ifdef HAVE_DLOPEN
|
|
void udf_init(void),udf_free(void);
|
|
udf_func *find_udf(const char *name, size_t size, bool mark_used=0);
|
|
void free_udf(udf_func *udf);
|
|
int mysql_create_function(THD *thd,udf_func *udf);
|
|
enum drop_udf_result
|
|
{
|
|
UDF_DEL_RESULT_ABSENT,
|
|
UDF_DEL_RESULT_DELETED,
|
|
UDF_DEL_RESULT_ERROR
|
|
};
|
|
enum drop_udf_result mysql_drop_function(THD *thd, const LEX_CSTRING *name);
|
|
#else
|
|
static inline void udf_init(void) { }
|
|
static inline void udf_free(void) { }
|
|
#endif
|
|
#endif /* SQL_UDF_INCLUDED */
|