From 14d43f4fa691e3af113195a3608f1fc401b85090 Mon Sep 17 00:00:00 2001
From: Monty <monty@mariadb.org>
Date: Thu, 29 Oct 2020 18:34:26 +0200
Subject: MDEV-23222 SIGSEG in maria_create() because of double free

The crash happens because a double free in the case CREATE TABLE fails
because there is a conflicting tables on disk.

Fixed by ensuring that the double free can't happen.
---
 mysql-test/suite/maria/create.result | 11 +++++++++++
 mysql-test/suite/maria/create.test   | 22 ++++++++++++++++++++++
 storage/maria/ma_create.c            |  1 +
 3 files changed, 34 insertions(+)

diff --git a/mysql-test/suite/maria/create.result b/mysql-test/suite/maria/create.result
index 462c148df8e..f1da0d7105b 100644
--- a/mysql-test/suite/maria/create.result
+++ b/mysql-test/suite/maria/create.result
@@ -62,5 +62,16 @@ c1
 DROP TABLE t2,t3;
 SET @@SQL_MODE=@org_sql_mode;
 #
+# MDEV-23222 SIGSEGV in maria_status | Assertion `(longlong)
+# thd->status_var.local_memory_used >= 0
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1);
+CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = 'MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;;
+flush tables;
+CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = 'MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;;
+Got one of the listed errors
+DROP TABLE t1;
+#
 # End of 10.3 tests
 #
diff --git a/mysql-test/suite/maria/create.test b/mysql-test/suite/maria/create.test
index 0efae8cac1b..cac1f8bd7e1 100644
--- a/mysql-test/suite/maria/create.test
+++ b/mysql-test/suite/maria/create.test
@@ -70,6 +70,28 @@ SELECT c1 FROM t3 WHERE (c1) IN (SELECT MIN(DISTINCT c1) FROM t2);
 DROP TABLE t2,t3;
 SET @@SQL_MODE=@org_sql_mode;
 
+--echo #
+--echo # MDEV-23222 SIGSEGV in maria_status | Assertion `(longlong)
+--echo # thd->status_var.local_memory_used >= 0
+--echo #
+
+let $mysqld_datadir= `select @@datadir`;
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1);
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--eval CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = '$MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;
+flush tables;
+--remove_file $mysqld_datadir/test/MDEV_23222.frm
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--error 1,ER_TABLE_EXISTS_ERROR
+--eval CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = '$MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;
+DROP TABLE t1;
+--disable_warnings
+--remove_file $mysqld_datadir/test/MDEV_23222.MAD
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--remove_file $MYSQL_TMP_DIR/MDEV_23222.MAD
+--enable_warnings
+
 --echo #
 --echo # End of 10.3 tests
 --echo #
diff --git a/storage/maria/ma_create.c b/storage/maria/ma_create.c
index 98c33f896ac..8d6eb6edc48 100644
--- a/storage/maria/ma_create.c
+++ b/storage/maria/ma_create.c
@@ -1163,6 +1163,7 @@ int maria_create(const char *name, enum data_file_type datafile_type,
                                   FALSE, TRUE))
       goto err;
     my_free(log_data);
+    log_data= 0;
   }
 
   if (!(flags & HA_DONT_TOUCH_DATA))
-- 
cgit v1.2.1