Bug#34587 Creating a view inside a stored procedure leads to a server crash

The problem is that when a stored procedure is being parsed for
the first execution, the body is copied to a temporary buffer
which is disregarded sometime after the statement is parsed.
And during this parsing phase, the rule for CREATE VIEW was
holding a reference to the string being parsed for use during
the execution of the CREATE VIEW statement, leading to invalid
memory access later.

The solution is to allocate and copy the SELECT of a CREATE
VIEW statement using the thread memory root, which is set to
the permanent arena of the stored procedure. 

1 files changed, 2 insertions, 6 deletions

diff --git a/sql/sql_view.cc b/sql/sql_view.cc
index 1a4d7d515a8..2230b3de8ad 100644
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@@ -237,7 +237,7 @@ bool mysql_create_view(THD *thd, TABLE_LIST *views,
 
   /* This is ensured in the parser. */
   DBUG_ASSERT(!lex->proc_list.first && !lex->result &&
-              !lex->param_list.elements && !lex->derived_tables);
+              !lex->param_list.elements);
 
   if (mode != VIEW_CREATE_NEW)
   {
@@ -718,11 +718,7 @@ static int mysql_register_view(THD *thd, TABLE_LIST *view,
   /* fill structure */
   view->select_stmt.str= view_query.c_ptr_safe();
   view->select_stmt.length= view_query.length();
-
-  view->source.str= (char*) thd->lex->create_view_select_start;
-  view->source.length= (thd->lex->create_view_select_end
-                        - thd->lex->create_view_select_start);
-  trim_whitespace(thd->charset(), & view->source);
+  view->source= thd->lex->create_view_select;
 
   view->file_version= 1;
   view->calc_md5(md5);