diff options
| author | Mats Kindahl <mats@mysql.com> | 2008-07-07 09:58:27 +0200 |
|---|---|---|
| committer | Mats Kindahl <mats@mysql.com> | 2008-07-07 09:58:27 +0200 |
| commit | 914cae3a2d48187ba566fb95342df4df10ecba48 (patch) | |
| tree | 4efdb7c49fad71c7457eeaf014507493742695d1 /sql/log_event.cc | |
| parent | fe87c0db0ccea0c543befe0bff126aade2a4c263 (diff) | |
| download | mariadb-git-914cae3a2d48187ba566fb95342df4df10ecba48.tar.gz | |
Bug #37150 Risk for crash in User_var_log_event::exec_event()
On certain kinds of errors (e.g., out of stack), a call to Item_func_
set_user_var::fix_fields() might fail. Since the return value of this
call was not checked inside User_var_log_event::exec_event(), continuing
execution after this will cause a crash inside Item_func_set_user_var::
update_hash().
The bug is fixed by aborting execution of the event with an error if
fix_fields() fails, since it is not possible to continue execution anyway.
sql/log_event.cc:
Aborting execution of event if fix_fields() fails since execution
of update_hash() might cause a crash.
Diffstat (limited to 'sql/log_event.cc')
| -rw-r--r-- | sql/log_event.cc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sql/log_event.cc b/sql/log_event.cc index 05dccd782ad..ef419aaee40 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -4154,8 +4154,14 @@ int User_var_log_event::exec_event(struct st_relay_log_info* rli) /* Item_func_set_user_var can't substitute something else on its place => 0 can be passed as last argument (reference on item) + + Fix_fields() can fail, in which case a call of update_hash() might + crash the server, so if fix fields fails, we just return with an + error. */ - e.fix_fields(thd, 0); + if (e.fix_fields(thd, 0)) + return 1; + /* A variable can just be considered as a table with a single record and with a single column. Thus, like |