MDEV-12939 A query crashes MariaDB in Item_func_regex::cleanup

and MDEV-13144 regexp on views - crashed mariadb server implement Item_func_regex::build_clone()
2017-06-25 20:55:58 +02:00 · 2017-06-25 20:55:58 +02:00 · 75f80004b1
commit 75f80004b1
parent 7bea860709
4 changed files with 22 additions and 8 deletions
--- a/mysql-test/r/func_regexp_pcre.result
+++ b/mysql-test/r/func_regexp_pcre.result
@ -894,3 +894,5 @@ REGEXP_INSTR('a_kollision', '(oll)')
 SELECT REGEXP_INSTR('a_kollision', 'o([lm])\\1');
 REGEXP_INSTR('a_kollision', 'o([lm])\\1')
 4
+SELECT a FROM (SELECT "aa" a) t WHERE a REGEXP '[0-9]';
+a
--- a/mysql-test/t/func_regexp_pcre.test
+++ b/mysql-test/t/func_regexp_pcre.test
@ -439,3 +439,8 @@ SELECT 1 FROM dual WHERE ('Alpha,Bravo,Charlie,Delta,Echo,Foxtrot,StrataCentral,
 SELECT REGEXP_INSTR('a_kollision', 'oll');
 SELECT REGEXP_INSTR('a_kollision', '(oll)');
 SELECT REGEXP_INSTR('a_kollision', 'o([lm])\\1');
+
+#
+# MDEV-12939 A query crashes MariaDB in Item_func_regex::cleanup
+#
+SELECT a FROM (SELECT "aa" a) t WHERE a REGEXP '[0-9]';
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@ -5408,9 +5408,8 @@ bool Regexp_processor_pcre::compile(String *pattern, bool send_error)
  {
    if (!stringcmp(pattern, &m_prev_pattern))
      return false;
+    cleanup();
    m_prev_pattern.copy(*pattern);
-    pcre_free(m_pcre);
-    m_pcre= NULL;
  }

  if (!(pattern= convert_if_needed(pattern, &pattern_converter)))
--- a/sql/item_cmpfunc.h
+++ b/sql/item_cmpfunc.h
@ -2074,14 +2074,15 @@ public:
  {
    return subpattern_end(n) - subpattern_start(n);
  }
+  void reset()
+  {
+    m_pcre= NULL;
+    m_prev_pattern.length(0);
+  }
  void cleanup()
  {
-    if (m_pcre)
-    {
-      pcre_free(m_pcre);
-      m_pcre= NULL;
-    }
-    m_prev_pattern.length(0);
+    pcre_free(m_pcre);
+    reset();
  }
  bool is_compiled() const { return m_pcre != NULL; }
  bool is_const() const { return m_is_const; }
@ -2110,6 +2111,13 @@ public:
  enum precedence precedence() const { return CMP_PRECEDENCE; }
  Item *get_copy(THD *thd, MEM_ROOT *mem_root)
  { return get_item_copy<Item_func_regex>(thd, mem_root, this); }
+  Item *build_clone(THD *thd, MEM_ROOT *mem_root)
+  {
+    Item_func_regex *clone= (Item_func_regex*) Item_bool_func::build_clone(thd, mem_root);
+    if (clone)
+      clone->re.reset();
+    return clone;
+  }

  void print(String *str, enum_query_type query_type)
  {