diff options
| author | Gleb Shchepa <gshchepa@mysql.com> | 2009-01-23 22:18:02 +0400 |
|---|---|---|
| committer | Gleb Shchepa <gshchepa@mysql.com> | 2009-01-23 22:18:02 +0400 |
| commit | 93991b6be983c11dfb595e9ee0647384dc37b09c (patch) | |
| tree | a1139da70074b055b8328abd316f07ea040e0823 | |
| parent | db337eb8d8c2dc6c343b89ac78be8966d14a85fc (diff) | |
| download | mariadb-git-93991b6be983c11dfb595e9ee0647384dc37b09c.tar.gz | |
Bug#42188: crash and/or memory corruption with user variables
in trigger
Interchangeable calls to the mysql_change_user client function
and invocations of a trigger changing some user variable caused
a memory corruption and a crash.
The mysql_change_user API call forces TDH::cleanup() on a server
that frees user variable entries.
However it didn't reset Item_func_set_user_var::entry to NULL
because Item_func_set_user_var::cleanup() was not overloaded.
So, Item_func_set_user_var::entry held a pointer to freed memory,
that caused a crash.
The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.
mysql-test/r/user_var.result:
Added test case for bug #42188.
mysql-test/t/user_var.test:
Added test case for bug #42188.
sql/item_func.cc:
Bug#42188: crash and/or memory corruption with user variables
in trigger
The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.
sql/item_func.h:
Bug#42188: crash and/or memory corruption with user variables
in trigger
The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.
| -rw-r--r-- | mysql-test/r/user_var.result | 5 | ||||
| -rw-r--r-- | mysql-test/t/user_var.test | 11 | ||||
| -rw-r--r-- | sql/item_func.cc | 7 | ||||
| -rw-r--r-- | sql/item_func.h | 1 |
4 files changed, 24 insertions, 0 deletions
diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index 2d91835d723..8961a935006 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid := id from t1; 0 3 3 1 3 4 drop table t1; +CREATE TABLE t1 (i INT); +CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10; +INSERT INTO t1 VALUES (1); +INSERT INTO t1 VALUES (1); +DROP TABLE t1; End of 5.1 tests diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test index 5d916e410e3..fb4511a87a0 100644 --- a/mysql-test/t/user_var.test +++ b/mysql-test/t/user_var.test @@ -285,4 +285,15 @@ set @lastid=-1; select @lastid != id, @lastid, @lastid := id from t1; drop table t1; +# +# Bug#42188: crash and/or memory corruption with user variables in trigger +# + +CREATE TABLE t1 (i INT); +CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10; +INSERT INTO t1 VALUES (1); +--change_user +INSERT INTO t1 VALUES (1); +DROP TABLE t1; + --echo End of 5.1 tests diff --git a/sql/item_func.cc b/sql/item_func.cc index ff0c22ecfa9..34cb50ee7fa 100644 --- a/sql/item_func.cc +++ b/sql/item_func.cc @@ -3808,6 +3808,13 @@ static user_var_entry *get_variable(HASH *hash, LEX_STRING &name, } +void Item_func_set_user_var::cleanup() +{ + Item_func::cleanup(); + entry= NULL; +} + + bool Item_func_set_user_var::set_entry(THD *thd, bool create_if_not_exists) { if (entry && thd->thread_id == entry_thread_id) diff --git a/sql/item_func.h b/sql/item_func.h index e2937a4daf8..d23d821baf6 100644 --- a/sql/item_func.h +++ b/sql/item_func.h @@ -1357,6 +1357,7 @@ public: void save_org_in_field(Field *field) { (void)save_in_field(field, 1, 0); } bool register_field_in_read_map(uchar *arg); bool set_entry(THD *thd, bool create_if_not_exists); + void cleanup(); }; |