From e5a88caf08749b6ac1de4d5420f04b6125898e08 Mon Sep 17 00:00:00 2001 From: Gleb Shchepa Date: Mon, 6 Dec 2010 23:38:31 +0300 Subject: Bug #57187: more user variable fun with multiple assignments and comparison in query A query that compares assignments of the same user variable caused Valgrind warnings: access to freed memory region. In case of a DECIMAL argument the assignment operator (:=) may return a pointer to a stored value instead of its copy when evaluated. The next assignment to the same variable may: a) overwrite the stored value with a new one and return the same pointer or even b) reallocate stored value. Thus, if we evaluate an assignment and keep the result pointer and then evaluate another assignment to the same variable, then the kept result pointer of the first assignment will point to unexpectedly changed data or it may be a dead pointer. That may cause wrong data or crash. The user_var_entry::val_decimal method has been modified to copy user variable data. mysql-test/r/user_var.result: Test case for bug #57187. mysql-test/t/user_var.test: Test case for bug #57187. sql/item_func.cc: Bug #57187: more user variable fun with multiple assignments and comparison in query The user_var_entry::val_decimal method has been modified to copy user variable data. --- mysql-test/r/user_var.result | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'mysql-test/r/user_var.result') diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result index cf82a18ea83..374520ff610 100644 --- a/mysql-test/r/user_var.result +++ b/mysql-test/r/user_var.result @@ -450,4 +450,10 @@ DROP TABLE t1; select @v:=@v:=sum(1) from dual; @v:=@v:=sum(1) 1 +CREATE TABLE t1(a DECIMAL(31,21)); +INSERT INTO t1 VALUES (0); +SELECT (@v:=a) <> (@v:=1) FROM t1; +(@v:=a) <> (@v:=1) +1 +DROP TABLE t1; End of 5.1 tests -- cgit v1.2.1