MDEV-15907 ASAN heap-use-after-free

This patch fixes an invalid read in fill_effective_table_privileges triggered by a grant_version increase between a PREPARE for a statement creating a view from I_S and EXECUTE. A tmp table was created and free'd while preparing the statement, TABLE_LIST::table_name was set to point to the tmp table TABLE_SHARE::table_name which no longer existed after preparing was done. The grant version increase made fill_effective_table_privileges called during EXECUTE to try fetch the updated grant info and this is where the dangling table name was used.
author: Robert Bindar <robert@mariadb.org> 2019-04-01 11:54:29 +0300
committer: Sergei Golubchik <serg@mariadb.org> 2019-04-24 11:15:38 +0200
commit: e52a4ab693002ccfe9eb65e409f8b3457de450b9 (patch)
tree: d25efc527c89f8e6a41e49bcaeea65f4dcf6e815 /sql/sql_show.cc
parent: 5d510fdbf006afa82c8acc9ea2e0c6cbeaebe0fa (diff)
download: mariadb-git-e52a4ab693002ccfe9eb65e409f8b3457de450b9.tar.gz
1 files changed, 0 insertions, 2 deletions
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index db33a9de781..a69f7a8b970 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -7620,8 +7620,6 @@ int mysql_schema_table(THD *thd, LEX *lex, TABLE_LIST *table_list)
     table->alias_name_used= my_strcasecmp(table_alias_charset,
                                           table_list->schema_table_name,
                                           table_list->alias);
-  table_list->table_name= table->s->table_name.str;
-  table_list->table_name_length= table->s->table_name.length;
   table_list->table= table;
   table->next= thd->derived_tables;
   thd->derived_tables= table;
author	Robert Bindar <robert@mariadb.org>	2019-04-01 11:54:29 +0300
committer	Sergei Golubchik <serg@mariadb.org>	2019-04-24 11:15:38 +0200
commit	e52a4ab693002ccfe9eb65e409f8b3457de450b9 (patch)
tree	d25efc527c89f8e6a41e49bcaeea65f4dcf6e815 /sql/sql_show.cc
parent	5d510fdbf006afa82c8acc9ea2e0c6cbeaebe0fa (diff)
download	mariadb-git-e52a4ab693002ccfe9eb65e409f8b3457de450b9.tar.gz