1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug#38823: Invalid memory access when a SP statement does wildcard expansion

Browse Source 
The problem is that field names constructed due to wild-card
expansion done inside a stored procedure could point to freed
memory if the expansion was performed after the first call to
the stored procedure.

The problem was solved by patch for Bug#38691. The solution
was to allocate the database, table and field names in the
in the statement memory instead of table memory.
This commit is contained in:
Davi Arnaut 2008-10-14 11:04:36 -03:00
parent 702ae189a3
commit d4c75b7d0f
3 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
mysql-test/r/sp.result
View File

@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `str`;
end $ end $
call `p2`('s s s s s s'); call `p2`('s s s s s s');
drop procedure `p2`; drop procedure `p2`;
drop table if exists t1;
drop procedure if exists p1;
create procedure p1() begin select * from t1; end$
call p1$
ERROR 42S02: Table 'test.t1' doesn't exist
create table t1 (a integer)$
call p1$
a
alter table t1 add b integer;
call p1$
a
drop table t1;
drop procedure p1;
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# -- End of 5.0 tests # -- End of 5.0 tests
# ------------------------------------------------------------------ # ------------------------------------------------------------------

22
mysql-test/t/sp.test
View File

@ -7836,6 +7836,28 @@ delimiter ;$
call `p2`('s s s s s s'); call `p2`('s s s s s s');
drop procedure `p2`; drop procedure `p2`;
#
# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
#
--disable_warnings
drop table if exists t1;
drop procedure if exists p1;
--enable_warnings
delimiter $;
create procedure p1() begin select * from t1; end$
--error ER_NO_SUCH_TABLE
call p1$
create table t1 (a integer)$
call p1$
alter table t1 add b integer;
call p1$
delimiter ;$
drop table t1;
drop procedure p1;
--echo # ------------------------------------------------------------------ --echo # ------------------------------------------------------------------
--echo # -- End of 5.0 tests --echo # -- End of 5.0 tests
--echo # ------------------------------------------------------------------ --echo # ------------------------------------------------------------------

3
sql/item.cc
View File

@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
be allocated in the statement memory, not in table memory (the table be allocated in the statement memory, not in table memory (the table
structure can go away and pop up again between subsequent executions structure can go away and pop up again between subsequent executions
of a prepared statement or after the close_tables_for_reopen() call of a prepared statement or after the close_tables_for_reopen() call
in mysql_multi_update_prepare()). in mysql_multi_update_prepare() or due to wildcard expansion in stored
procedures).
*/ */
{ {
if (db_name) if (db_name)