diff options
author | Dmitry Shulga <dmitry.shulga@mariadb.com> | 2022-04-04 14:32:16 +0700 |
---|---|---|
committer | Dmitry Shulga <dmitry.shulga@mariadb.com> | 2022-04-04 14:32:16 +0700 |
commit | cd56b40f6dfdfd0dc63a66e44e2f28619913c94a (patch) | |
tree | 1c430e6685e597004f61f47b57a94e17e6eed9f1 /mysql-test/main/sp.result | |
parent | d48774e0e042675d21de51659417cb738e41a0a7 (diff) | |
download | mariadb-git-cd56b40f6dfdfd0dc63a66e44e2f28619913c94a.tar.gz |
MDEV-28129: MariaDB UAF issue at lex_end_nops(LEX*)
This bug report is not about ASAN Use After Free issue. This bug is
about missed calling of the method LEX::cleanup_lex_after_parse_error
that should happen on parse error.
Aforementioned method calls sphead::restore_thd_mem_root to clean up
resources acquired on processing a stored routine. Particularly,
the method sp_head::restore_tht_mem_root is called to restore
an original mem root and reset LEX::sphead into nullptr.
The method LEX::cleanup_lex_after_parse_error is invoked by the macros
MYSQL_YYABORT. Unfortunately, some rules of grammar for handling
user variables in SQL use YYABORT instead of MYSQL_YYABORT to handle
parser errors. As a consequence, in case a statement with setting of
a user variable is called inside a stored routine, it results in
assert failure in sp_head destructor.
To fix the issue the macros YYABORT should be replaced by MYSQL_YYABORT
in those grammar rules that handle assignment of user variables.
Diffstat (limited to 'mysql-test/main/sp.result')
-rw-r--r-- | mysql-test/main/sp.result | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/mysql-test/main/sp.result b/mysql-test/main/sp.result index a7faeaf2f0d..cf51ce96817 100644 --- a/mysql-test/main/sp.result +++ b/mysql-test/main/sp.result @@ -8913,3 +8913,15 @@ ERROR 42000: Incorrect usage/placement of 'HIGH_PRIORITY' # # End of 10.4 tests # +# +# MDEV-28129: MariaDB UAF issue at lex_end_nops(LEX*) +# +CREATE PROCEDURE sp() SELECT 1 INTO @; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 +CREATE PROCEDURE sp() SET @=1; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '=1' at line 1 +CREATE PROCEDURE sp() SELECT @; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 +# +# End of 10.7 tests +# |