MDEV-30191 Remove the to-be-freed spider condition in an sp call

The condition is freed in sp_head::execute, after calling ha_spider::reset. This commit partially reverts the change in commit e954d9de886aebc68c39240304fe97ae88276dbb, so that the condition is always freed regardless of the wide_handler->sql_command, which will prevent access to the freed condition later. Signed-off-by: Yuchen Pei <yuchen.pei@mariadb.com>
author: Yuchen Pei <yuchen.pei@mariadb.com> 2023-01-10 12:48:09 +1100
committer: Yuchen Pei <yuchen.pei@mariadb.com> 2023-01-19 09:39:00 +1100
commit: 8d91e3f614383a010c74072b4ae876309be3995c (patch)
tree: 6895627862bad6ef51048438cc73a9ef21eef4fb
parent: da798c951182c7afdbf04948dccbc7d4705cc224 (diff)
download: mariadb-git-8d91e3f614383a010c74072b4ae876309be3995c.tar.gz
4 files changed, 100 insertions, 4 deletions
diff --git a/storage/spider/ha_spider.cc b/storage/spider/ha_spider.cc
index 42ee1041c60..1700cd0557e 100644
--- a/storage/spider/ha_spider.cc
+++ b/storage/spider/ha_spider.cc
@@ -1365,10 +1365,8 @@ int ha_spider::reset()
 #endif
   result_list.direct_distinct = FALSE;
   store_error_num = 0;
-  if (
-    wide_handler &&
-    wide_handler->sql_command != SQLCOM_END
-  ) {
+  if (wide_handler)
+  {
     wide_handler->sql_command = SQLCOM_END;
     wide_handler->between_flg = FALSE;
     wide_handler->idx_bitmap_is_set = FALSE;
diff --git a/storage/spider/mysql-test/spider/bugfix/r/mdev_30191.result b/storage/spider/mysql-test/spider/bugfix/r/mdev_30191.result
new file mode 100644
index 00000000000..941f210cbbe
--- /dev/null
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_30191.result
@@ -0,0 +1,44 @@
+#
+# MDEV-30191 SIGSEGV & heap-use-after-free in spider_db_print_item_type, SIGABRT in __cxa_pure_virtual/spider_db_print_item_type, Got error 128 "Out of memory in engine", 56/112 memory not freed, and Assertion `fixed()' failed in Item_sp_variable::val_str on SP call
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+connection child2_1;
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+CREATE TABLE tbl_a (c INT);
+connection master_1;
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (
+c INT
+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"';
+CREATE TABLE tbl_b (c INT);
+CREATE PROCEDURE sp() BEGIN
+DECLARE v1 DATE;
+WHILE EXISTS (SELECT 1 FROM tbl_a WHERE c>v1 AND c<=v1) DO
+SELECT 1;
+END WHILE;
+WHILE EXISTS (SELECT 1
+FROM tbl_a
+WHERE c<v1 AND EXISTS (SELECT 1
+FROM tbl_b
+WHERE tbl_a.c=tbl_b.c)) DO
+SELECT 1;
+END WHILE; 
+END $$
+CALL sp();
+connection master_1;
+DROP DATABASE IF EXISTS auto_test_local;
+connection child2_1;
+DROP DATABASE IF EXISTS auto_test_remote;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.cnf b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.cnf
new file mode 100644
index 00000000000..05dfd8a0bce
--- /dev/null
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.cnf
@@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
diff --git a/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.test b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.test
new file mode 100644
index 00000000000..8d19a3515cf
--- /dev/null
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_30191.test
@@ -0,0 +1,51 @@
+--echo #
+--echo # MDEV-30191 SIGSEGV & heap-use-after-free in spider_db_print_item_type, SIGABRT in __cxa_pure_virtual/spider_db_print_item_type, Got error 128 "Out of memory in engine", 56/112 memory not freed, and Assertion `fixed()' failed in Item_sp_variable::val_str on SP call
+--echo #
+ 
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+ 
+--connection child2_1
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+CREATE TABLE tbl_a (c INT);
+ 
+--connection master_1
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+ 
+eval CREATE TABLE tbl_a (
+    c INT
+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"';
+CREATE TABLE tbl_b (c INT);
+ 
+--delimiter $$
+CREATE PROCEDURE sp() BEGIN
+    DECLARE v1 DATE;
+    WHILE EXISTS (SELECT 1 FROM tbl_a WHERE c>v1 AND c<=v1) DO
+        SELECT 1;
+    END WHILE;
+    WHILE EXISTS (SELECT 1
+                 FROM tbl_a
+                 WHERE c<v1 AND EXISTS (SELECT 1
+                                       FROM tbl_b
+                                       WHERE tbl_a.c=tbl_b.c)) DO
+        SELECT 1;
+    END WHILE; 
+END $$
+--delimiter ;
+CALL sp();
+ 
+--connection master_1
+DROP DATABASE IF EXISTS auto_test_local;
+--connection child2_1
+DROP DATABASE IF EXISTS auto_test_remote;
+ 
+--disable_query_log
+--disable_result_log
+--source ../t/test_deinit.inc
+--enable_query_log
+--enable_result_log
author	Yuchen Pei <yuchen.pei@mariadb.com>	2023-01-10 12:48:09 +1100
committer	Yuchen Pei <yuchen.pei@mariadb.com>	2023-01-19 09:39:00 +1100
commit	8d91e3f614383a010c74072b4ae876309be3995c (patch)
tree	6895627862bad6ef51048438cc73a9ef21eef4fb
parent	da798c951182c7afdbf04948dccbc7d4705cc224 (diff)
download	mariadb-git-8d91e3f614383a010c74072b4ae876309be3995c.tar.gz