summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMonty <monty@mariadb.org>2020-12-14 15:27:07 +0200
committerMonty <monty@mariadb.org>2021-01-15 14:12:26 +0200
commit9a60e89a907618eed1cabc63843fd983baa17fb7 (patch)
treea9c1836e89b8ff92a9817e159ab859b0658f7461
parent76b58c2af78cb25212309f5f00554750cbdb5372 (diff)
downloadmariadb-git-9a60e89a907618eed1cabc63843fd983baa17fb7.tar.gz
Fixed some possible usage of freed memory
- Create_tmp_table::finalize didn't clear file after delete which could cause a double free. This is however not a likely problem as this code path is very unlikely to happen - free_tmp_table() could do handler calls even if the table was never opened. Fixed by adding a test if the table is opened.
-rw-r--r--sql/sql_select.cc14
1 files changed, 9 insertions, 5 deletions
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 5422346884d..812917df3ad 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -18675,6 +18675,7 @@ bool Create_tmp_table::finalize(THD *thd,
if (table->file->set_ha_share_ref(&share->ha_share))
{
delete table->file;
+ table->file= 0;
goto err;
}
table->file->set_table(table);
@@ -19913,11 +19914,14 @@ free_tmp_table(THD *thd, TABLE *entry)
if (entry->file && entry->is_created())
{
- DBUG_ASSERT(entry->db_stat);
- entry->file->ha_index_or_rnd_end();
- entry->file->info(HA_STATUS_VARIABLE);
- thd->tmp_tables_size+= (entry->file->stats.data_file_length +
- entry->file->stats.index_file_length);
+ if (entry->db_stat)
+ {
+ /* The table was properly opened in open_tmp_table() */
+ entry->file->ha_index_or_rnd_end();
+ entry->file->info(HA_STATUS_VARIABLE);
+ thd->tmp_tables_size+= (entry->file->stats.data_file_length +
+ entry->file->stats.index_file_length);
+ }
entry->file->ha_drop_table(entry->s->path.str);
delete entry->file;
}