From 914cae3a2d48187ba566fb95342df4df10ecba48 Mon Sep 17 00:00:00 2001 From: Mats Kindahl Date: Mon, 7 Jul 2008 09:58:27 +0200 Subject: Bug #37150 Risk for crash in User_var_log_event::exec_event() On certain kinds of errors (e.g., out of stack), a call to Item_func_ set_user_var::fix_fields() might fail. Since the return value of this call was not checked inside User_var_log_event::exec_event(), continuing execution after this will cause a crash inside Item_func_set_user_var:: update_hash(). The bug is fixed by aborting execution of the event with an error if fix_fields() fails, since it is not possible to continue execution anyway. sql/log_event.cc: Aborting execution of event if fix_fields() fails since execution of update_hash() might cause a crash. --- sql/log_event.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'sql/log_event.cc') diff --git a/sql/log_event.cc b/sql/log_event.cc index 05dccd782ad..ef419aaee40 100644 --- a/sql/log_event.cc +++ b/sql/log_event.cc @@ -4154,8 +4154,14 @@ int User_var_log_event::exec_event(struct st_relay_log_info* rli) /* Item_func_set_user_var can't substitute something else on its place => 0 can be passed as last argument (reference on item) + + Fix_fields() can fail, in which case a call of update_hash() might + crash the server, so if fix fields fails, we just return with an + error. */ - e.fix_fields(thd, 0); + if (e.fix_fields(thd, 0)) + return 1; + /* A variable can just be considered as a table with a single record and with a single column. Thus, like -- cgit v1.2.1