Bug#38823: Invalid memory access when a SP statement does wildcard expansion
The problem is that field names constructed due to wild-card expansion done inside a stored procedure could point to freed memory if the expansion was performed after the first call to the stored procedure. The problem was solved by patch for Bug#38691. The solution was to allocate the database, table and field names in the in the statement memory instead of table memory.
This commit is contained in:
parent
702ae189a3
commit
d4c75b7d0f
@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `str`;
|
|||||||
end $
|
end $
|
||||||
call `p2`('s s s s s s');
|
call `p2`('s s s s s s');
|
||||||
drop procedure `p2`;
|
drop procedure `p2`;
|
||||||
|
drop table if exists t1;
|
||||||
|
drop procedure if exists p1;
|
||||||
|
create procedure p1() begin select * from t1; end$
|
||||||
|
call p1$
|
||||||
|
ERROR 42S02: Table 'test.t1' doesn't exist
|
||||||
|
create table t1 (a integer)$
|
||||||
|
call p1$
|
||||||
|
a
|
||||||
|
alter table t1 add b integer;
|
||||||
|
call p1$
|
||||||
|
a
|
||||||
|
drop table t1;
|
||||||
|
drop procedure p1;
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
# -- End of 5.0 tests
|
# -- End of 5.0 tests
|
||||||
# ------------------------------------------------------------------
|
# ------------------------------------------------------------------
|
||||||
|
@ -7836,6 +7836,28 @@ delimiter ;$
|
|||||||
call `p2`('s s s s s s');
|
call `p2`('s s s s s s');
|
||||||
drop procedure `p2`;
|
drop procedure `p2`;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
|
||||||
|
#
|
||||||
|
|
||||||
|
--disable_warnings
|
||||||
|
drop table if exists t1;
|
||||||
|
drop procedure if exists p1;
|
||||||
|
--enable_warnings
|
||||||
|
|
||||||
|
delimiter $;
|
||||||
|
create procedure p1() begin select * from t1; end$
|
||||||
|
--error ER_NO_SUCH_TABLE
|
||||||
|
call p1$
|
||||||
|
create table t1 (a integer)$
|
||||||
|
call p1$
|
||||||
|
alter table t1 add b integer;
|
||||||
|
call p1$
|
||||||
|
delimiter ;$
|
||||||
|
|
||||||
|
drop table t1;
|
||||||
|
drop procedure p1;
|
||||||
|
|
||||||
--echo # ------------------------------------------------------------------
|
--echo # ------------------------------------------------------------------
|
||||||
--echo # -- End of 5.0 tests
|
--echo # -- End of 5.0 tests
|
||||||
--echo # ------------------------------------------------------------------
|
--echo # ------------------------------------------------------------------
|
||||||
|
@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
|
|||||||
be allocated in the statement memory, not in table memory (the table
|
be allocated in the statement memory, not in table memory (the table
|
||||||
structure can go away and pop up again between subsequent executions
|
structure can go away and pop up again between subsequent executions
|
||||||
of a prepared statement or after the close_tables_for_reopen() call
|
of a prepared statement or after the close_tables_for_reopen() call
|
||||||
in mysql_multi_update_prepare()).
|
in mysql_multi_update_prepare() or due to wildcard expansion in stored
|
||||||
|
procedures).
|
||||||
*/
|
*/
|
||||||
{
|
{
|
||||||
if (db_name)
|
if (db_name)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user