Bug#38823: Invalid memory access when a SP statement does wildcard expansion
The problem is that field names constructed due to wild-card expansion done inside a stored procedure could point to freed memory if the expansion was performed after the first call to the stored procedure. The problem was solved by patch for Bug#38691. The solution was to allocate the database, table and field names in the in the statement memory instead of table memory.
This commit is contained in:
parent
702ae189a3
commit
d4c75b7d0f
@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `str`;
|
||||
end $
|
||||
call `p2`('s s s s s s');
|
||||
drop procedure `p2`;
|
||||
drop table if exists t1;
|
||||
drop procedure if exists p1;
|
||||
create procedure p1() begin select * from t1; end$
|
||||
call p1$
|
||||
ERROR 42S02: Table 'test.t1' doesn't exist
|
||||
create table t1 (a integer)$
|
||||
call p1$
|
||||
a
|
||||
alter table t1 add b integer;
|
||||
call p1$
|
||||
a
|
||||
drop table t1;
|
||||
drop procedure p1;
|
||||
# ------------------------------------------------------------------
|
||||
# -- End of 5.0 tests
|
||||
# ------------------------------------------------------------------
|
||||
|
@ -7836,6 +7836,28 @@ delimiter ;$
|
||||
call `p2`('s s s s s s');
|
||||
drop procedure `p2`;
|
||||
|
||||
#
|
||||
# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
|
||||
#
|
||||
|
||||
--disable_warnings
|
||||
drop table if exists t1;
|
||||
drop procedure if exists p1;
|
||||
--enable_warnings
|
||||
|
||||
delimiter $;
|
||||
create procedure p1() begin select * from t1; end$
|
||||
--error ER_NO_SUCH_TABLE
|
||||
call p1$
|
||||
create table t1 (a integer)$
|
||||
call p1$
|
||||
alter table t1 add b integer;
|
||||
call p1$
|
||||
delimiter ;$
|
||||
|
||||
drop table t1;
|
||||
drop procedure p1;
|
||||
|
||||
--echo # ------------------------------------------------------------------
|
||||
--echo # -- End of 5.0 tests
|
||||
--echo # ------------------------------------------------------------------
|
||||
|
@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
|
||||
be allocated in the statement memory, not in table memory (the table
|
||||
structure can go away and pop up again between subsequent executions
|
||||
of a prepared statement or after the close_tables_for_reopen() call
|
||||
in mysql_multi_update_prepare()).
|
||||
in mysql_multi_update_prepare() or due to wildcard expansion in stored
|
||||
procedures).
|
||||
*/
|
||||
{
|
||||
if (db_name)
|
||||
|
Loading…
x
Reference in New Issue
Block a user