MDEV-18083 ASAN heap-use-after-free in Field::set_warning_truncated_wrong_value upon inserting into temporary table

remove TABLE_SHARE::error_table_name() and TABLE_SHARE::orig_table_name (that was allocated in a wrong memroot in this bug). instead, simply set TABLE_SHARE::table_name correctly.
author: Sergei Golubchik <serg@mariadb.org> 2019-02-03 18:40:27 +0100
committer: Sergei Golubchik <serg@mariadb.org> 2019-02-05 01:34:17 +0100
commit: ef4ccb6ce2fd36014a7d065c3c4cf7611d113211 (patch)
tree: 5d121fe0657f3dfa20e72c145c2fbe2cef97c263 /sql
parent: 3b7694b7f89412e869ac63804d424a3f29f7e2af (diff)
download: mariadb-git-ef4ccb6ce2fd36014a7d065c3c4cf7611d113211.tar.gz
6 files changed, 17 insertions, 34 deletions
diff --git a/sql/field.cc b/sql/field.cc
index c2317e9a748..855cc5e0b79 100644
--- a/sql/field.cc
+++ b/sql/field.cc
@@ -8635,7 +8635,7 @@ int Field_geom::store(const char *from, uint length, CHARSET_INFO *cs)
         (uint32) geom_type != wkb_type)
     {
       const char *db= table->s->db.str;
-      const char *tab_name= table->s->error_table_name();
+      const char *tab_name= table->s->table_name.str;
 
       if (!db)
         db= "";
@@ -10821,7 +10821,7 @@ void Field::set_warning_truncated_wrong_value(const char *type_arg,
 {
   THD *thd= get_thd();
   const char *db_name= table->s->db.str;
-  const char *table_name= table->s->error_table_name();
+  const char *table_name= table->s->table_name.str;
 
   if (!db_name)
     db_name= "";
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index b1ae11fef03..5e5878ebf65 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -16753,7 +16753,7 @@ create_tmp_table(THD *thd, TMP_TABLE_PARAM *param, List<Item> &fields,
   table->no_rows_with_nulls= param->force_not_null_cols;
 
   table->s= share;
-  init_tmp_table_share(thd, share, "", 0, tmpname, tmpname);
+  init_tmp_table_share(thd, share, "", 0, "(temporary)", tmpname);
   share->blob_field= blob_field;
   share->table_charset= param->table_charset;
   share->primary_key= MAX_KEY;               // Indicate no primary key
@@ -17539,7 +17539,7 @@ bool Virtual_tmp_table::open()
 bool open_tmp_table(TABLE *table)
 {
   int error;
-  if ((error= table->file->ha_open(table, table->s->table_name.str, O_RDWR,
+  if ((error= table->file->ha_open(table, table->s->path.str, O_RDWR,
                                    HA_OPEN_TMP_TABLE |
                                    HA_OPEN_INTERNAL_TABLE)))
   {
@@ -17735,13 +17735,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
       }
     }
 
-    if ((error= maria_create(share->table_name.str,
-                             file_type,
-                             share->keys, &keydef,
-                             (uint) (*recinfo-start_recinfo),
-                             start_recinfo,
-                             share->uniques, &uniquedef,
-                             &create_info,
+    if ((error= maria_create(share->path.str, file_type, share->keys, &keydef,
+                             (uint) (*recinfo-start_recinfo), start_recinfo,
+                             share->uniques, &uniquedef, &create_info,
                              create_flags)))
     {
       table->file->print_error(error,MYF(0));	/* purecov: inspected */
@@ -17891,11 +17887,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
   bzero((char*) &create_info,sizeof(create_info));
   create_info.data_file_length= table->in_use->variables.tmp_disk_table_size;
 
-  if ((error=mi_create(share->table_name.str, share->keys, &keydef,
-		       (uint) (*recinfo-start_recinfo),
-		       start_recinfo,
-		       share->uniques, &uniquedef,
-		       &create_info,
+  if ((error=mi_create(share->path.str, share->keys, &keydef,
+		       (uint) (*recinfo-start_recinfo), start_recinfo,
+		       share->uniques, &uniquedef, &create_info,
 		       HA_CREATE_TMP_TABLE | HA_CREATE_INTERNAL_TABLE |
                        ((share->db_create_options & HA_OPTION_PACK_RECORD) ?
                         HA_PACK_RECORD : 0)
@@ -18049,7 +18043,7 @@ err_killed:
   (void) table->file->ha_rnd_end();
   (void) new_table.file->ha_close();
  err1:
-  new_table.file->ha_delete_table(new_table.s->table_name.str);
+  new_table.file->ha_delete_table(new_table.s->path.str);
  err2:
   delete new_table.file;
   thd_proc_info(thd, save_proc_info);
@@ -18074,9 +18068,9 @@ free_tmp_table(THD *thd, TABLE *entry)
   {
     entry->file->ha_index_or_rnd_end();
     if (entry->db_stat)
-      entry->file->ha_drop_table(entry->s->table_name.str);
+      entry->file->ha_drop_table(entry->s->path.str);
     else
-      entry->file->ha_delete_table(entry->s->table_name.str);
+      entry->file->ha_delete_table(entry->s->path.str);
     delete entry->file;
   }
 
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index 58698936476..4f9adc3338c 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -9440,7 +9440,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
     goto err_new_table_cleanup;
 
   if (ha_create_table(thd, alter_ctx.get_tmp_path(),
-                      alter_ctx.new_db, alter_ctx.tmp_name,
+                      alter_ctx.new_db, alter_ctx.new_name,
                       create_info, &frm))
     goto err_new_table_cleanup;
 
@@ -9449,7 +9449,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
 
   new_table=
     thd->create_and_open_tmp_table(new_db_type, &frm, alter_ctx.get_tmp_path(),
-                                   alter_ctx.new_db, alter_ctx.tmp_name, true);
+                                   alter_ctx.new_db, alter_ctx.new_name, true);
   if (!new_table)
     goto err_new_table_cleanup;
 
@@ -9511,7 +9511,6 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
         goto err_new_table_cleanup;
     }
   }
-  new_table->s->orig_table_name= table->s->table_name.str;
 
   /*
     Note: In case of MERGE table, we do not attach children. We do not
diff --git a/sql/sql_time.cc b/sql/sql_time.cc
index 53e380f59c8..bba8c974ccb 100644
--- a/sql/sql_time.cc
+++ b/sql/sql_time.cc
@@ -880,7 +880,7 @@ void make_truncated_value_warning(THD *thd,
   if (field_name)
   {
     const char *db_name= s->db.str;
-    const char *table_name= s->error_table_name();
+    const char *table_name= s->table_name.str;
 
     if (!db_name)
       db_name= "";
diff --git a/sql/table.cc b/sql/table.cc
index 58e90787925..7c5410aed84 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -5182,7 +5182,7 @@ int TABLE::verify_constraints(bool ignore_failure)
         field_error.append((*chk)->name.str);
         my_error(ER_CONSTRAINT_FAILED,
                  MYF(ignore_failure ? ME_JUST_WARNING : 0), field_error.c_ptr(),
-                 s->db.str, s->error_table_name());
+                 s->db.str, s->table_name.str);
         return ignore_failure ? VIEW_CHECK_SKIP : VIEW_CHECK_ERROR;
       }
     }
diff --git a/sql/table.h b/sql/table.h
index 13acae533f7..c3c138c1278 100644
--- a/sql/table.h
+++ b/sql/table.h
@@ -625,16 +625,6 @@ struct TABLE_SHARE
   LEX_STRING normalized_path;		/* unpack_filename(path) */
   LEX_STRING connect_string;
 
-  const char* orig_table_name;          /* Original table name for this tmp table */
-  const char* error_table_name() const  /* Get table name for error messages */
-  {
-    return tmp_table ? (
-      orig_table_name ?
-        orig_table_name :
-        "(temporary)") :
-      table_name.str;
-  }
-
   /* 
      Set of keys in use, implemented as a Bitmap.
      Excludes keys disabled by ALTER TABLE ... DISABLE KEYS.
author	Sergei Golubchik <serg@mariadb.org>	2019-02-03 18:40:27 +0100
committer	Sergei Golubchik <serg@mariadb.org>	2019-02-05 01:34:17 +0100
commit	ef4ccb6ce2fd36014a7d065c3c4cf7611d113211 (patch)
tree	5d121fe0657f3dfa20e72c145c2fbe2cef97c263 /sql
parent	3b7694b7f89412e869ac63804d424a3f29f7e2af (diff)
download	mariadb-git-ef4ccb6ce2fd36014a7d065c3c4cf7611d113211.tar.gz