diff options
author | unknown <knielsen@mysql.com> | 2006-05-15 12:01:55 +0200 |
---|---|---|
committer | unknown <knielsen@mysql.com> | 2006-05-15 12:01:55 +0200 |
commit | dccd333ecf4d566029c40e18bee33f6019bc2420 (patch) | |
tree | 269b1cc4ffdaf52a959a5bf03778eedd53698a30 /sql/sp_rcontext.cc | |
parent | afe4715242576a8575abcec955baa4bfd78af85e (diff) | |
download | mariadb-git-dccd333ecf4d566029c40e18bee33f6019bc2420.tar.gz |
BUG#18037: Fix stack corruption in THD::rollback_item_tree_changes().
Stored procedure execution sometimes placed the address of auto variables
in the list of Item changes to undo in THD::rollback_item_tree_changes().
This could cause stack corruption.
sql/sp_head.cc:
Avoid storing address of auto variables in global rollback list, to
prevent stack memory corruption.
sql/sp_head.h:
Avoid storing address of auto variables in global rollback list, to
prevent stack memory corruption.
sql/sp_rcontext.cc:
Avoid storing address of auto variables in global rollback list, to
prevent stack memory corruption.
sql/sp_rcontext.h:
Avoid storing address of auto variables in global rollback list, to
prevent stack memory corruption.
sql/sql_class.cc:
Avoid storing address of auto variables in global rollback list, to
prevent stack memory corruption.
Diffstat (limited to 'sql/sp_rcontext.cc')
-rw-r--r-- | sql/sp_rcontext.cc | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/sql/sp_rcontext.cc b/sql/sp_rcontext.cc index 38b6de0e75a..3bc27a029d0 100644 --- a/sql/sp_rcontext.cc +++ b/sql/sp_rcontext.cc @@ -150,7 +150,7 @@ sp_rcontext::init_var_items() bool -sp_rcontext::set_return_value(THD *thd, Item *return_value_item) +sp_rcontext::set_return_value(THD *thd, Item **return_value_item) { DBUG_ASSERT(m_return_value_fld); @@ -279,14 +279,14 @@ sp_rcontext::pop_cursors(uint count) int -sp_rcontext::set_variable(THD *thd, uint var_idx, Item *value) +sp_rcontext::set_variable(THD *thd, uint var_idx, Item **value) { return set_variable(thd, m_var_table->field[var_idx], value); } int -sp_rcontext::set_variable(THD *thd, Field *field, Item *value) +sp_rcontext::set_variable(THD *thd, Field *field, Item **value) { if (!value) { @@ -478,9 +478,10 @@ sp_rcontext::create_case_expr_holder(THD *thd, Item_result result_type) */ int -sp_rcontext::set_case_expr(THD *thd, int case_expr_id, Item *case_expr_item) +sp_rcontext::set_case_expr(THD *thd, int case_expr_id, Item **case_expr_item_ptr) { - if (!(case_expr_item= sp_prepare_func_item(thd, &case_expr_item))) + Item *case_expr_item= sp_prepare_func_item(thd, case_expr_item_ptr); + if (!case_expr_item) return TRUE; if (!m_case_expr_holders[case_expr_id] || @@ -542,7 +543,7 @@ bool Select_fetch_into_spvars::send_data(List<Item> &items) */ for (; spvar= spvar_iter++, item= item_iter++; ) { - if (thd->spcont->set_variable(thd, spvar->offset, item)) + if (thd->spcont->set_variable(thd, spvar->offset, &item)) return TRUE; } return FALSE; |