From 93991b6be983c11dfb595e9ee0647384dc37b09c Mon Sep 17 00:00:00 2001
From: Gleb Shchepa <gshchepa@mysql.com>
Date: Fri, 23 Jan 2009 22:18:02 +0400
Subject: Bug#42188: crash and/or memory corruption with user variables        
    in trigger

Interchangeable calls to the mysql_change_user client function
and invocations of a trigger changing some user variable caused
a memory corruption and a crash.

The mysql_change_user API call forces TDH::cleanup() on a server
that frees user variable entries.
However it didn't reset Item_func_set_user_var::entry to NULL
because Item_func_set_user_var::cleanup() was not overloaded.
So, Item_func_set_user_var::entry held a pointer to freed memory,
that caused a crash.

The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.


mysql-test/r/user_var.result:
  Added test case for bug #42188.
mysql-test/t/user_var.test:
  Added test case for bug #42188.
sql/item_func.cc:
  Bug#42188: crash and/or memory corruption with user variables
             in trigger

  The Item_func_set_user_var::cleanup method has been overloaded
  to cleanup the Item_func_set_user_var::entry field.
sql/item_func.h:
  Bug#42188: crash and/or memory corruption with user variables
             in trigger

  The Item_func_set_user_var::cleanup method has been overloaded
  to cleanup the Item_func_set_user_var::entry field.
---
 mysql-test/r/user_var.result | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'mysql-test/r/user_var.result')

diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result
index 2d91835d723..8961a935006 100644
--- a/mysql-test/r/user_var.result
+++ b/mysql-test/r/user_var.result
@@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid := id from t1;
 0	3	3
 1	3	4
 drop table t1;
+CREATE TABLE t1 (i INT);
+CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
+INSERT INTO t1 VALUES (1);
+INSERT INTO t1 VALUES (1);
+DROP TABLE t1;
 End of 5.1 tests
-- 
cgit v1.2.1