From dabef66e66a48f2d5f4ca5fdfd1f9d927e935471 Mon Sep 17 00:00:00 2001
From: Nikita Malyavin <nikitamalyavin@gmail.com>
Date: Mon, 29 Apr 2019 20:32:36 +1000
Subject: [PATCH] MDEV-19188 Server Crash When Using a Trigger With A Number of
 Virtual Columns on INSERT/UPDATE

use s->fields instead of s->stored_fields. extra_null_bitmap is allocated in Table_triggers_list::prepare_record_accessors with respect to virtual fields, so it will not overflow

Closes #1292
---
 mysql-test/r/trigger.result | 30 +++++++++++++++++++++++++-----
 mysql-test/t/trigger.test   | 33 ++++++++++++++++++++++++++++-----
 sql/sql_trigger.h           |  2 +-
 3 files changed, 54 insertions(+), 11 deletions(-)

diff --git a/mysql-test/r/trigger.result b/mysql-test/r/trigger.result
index 901d132cd2c..00f16accb3e 100644
--- a/mysql-test/r/trigger.result
+++ b/mysql-test/r/trigger.result
@@ -1962,7 +1962,7 @@ ERROR HY000: Can't update table 't2' in stored function/trigger because it is al
 DROP TABLE t1;
 DROP TRIGGER t_insert;
 DROP TABLE t2;
-End of 5.0 tests
+# End of 5.0 tests
 drop table if exists table_25411_a;
 drop table if exists table_25411_b;
 create table table_25411_a(a int);
@@ -2131,7 +2131,7 @@ b
 # Work around Bug#45235
 DROP DATABASE db1;
 USE test;
-End of 5.1 tests.
+# End of 5.1 tests.
 create table t1 (i int);
 create table t2 (i int);
 flush tables;
@@ -2150,7 +2150,7 @@ select * from t2;
 i
 2
 drop table t1,t2;
-End of 5.2 tests.
+# End of 5.2 tests.
 #
 # Bug#34453 Can't change size of file (Errcode: 1224)
 #
@@ -2253,7 +2253,7 @@ c
 aaa
 DROP TABLE t1;
 
-End of 5.5 tests.
+# End of 5.5 tests.
 #
 # BUG #910083: materialized subquery in a trigger
 #
@@ -2300,7 +2300,7 @@ b
 SET optimizer_switch=@save_optimizer_switch;
 DROP TRIGGER tr;
 DROP TABLE t1, t2;
-End of 5.3 tests.
+# End of 5.3 tests.
 set time_zone="+00:00";
 SET TIMESTAMP=UNIX_TIMESTAMP('2001-01-01 10:20:30');
 SET @@session.sql_mode = 'STRICT_ALL_TABLES,STRICT_TRANS_TABLES';
@@ -2407,3 +2407,23 @@ CREATE TRIGGER tr
 AFTER UPDATE ON t1 FOR EACH ROW SELECT (SELECT b FROM t2) INTO @x;
 # Running 20000 queries
 DROP TABLE t1,t2;
+#
+# MDEV-19188 Server Crash When Using a Trigger With A Number of Virtual Columns on INSERT/UPDATE
+#
+CREATE TABLE t1 (
+virt1 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt2 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt3 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt4 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt5 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt6 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt7 INT GENERATED ALWAYS AS (0) VIRTUAL,
+virt8 INT GENERATED ALWAYS AS (0) VIRTUAL
+);
+INSERT INTO t1 () VALUES ();
+CREATE TRIGGER t1_trigger BEFORE INSERT ON t1 FOR EACH ROW BEGIN END;
+INSERT INTO t1 () VALUES ();
+DROP TABLE t1;
+#
+# End of 10.2 tests
+#
diff --git a/mysql-test/t/trigger.test b/mysql-test/t/trigger.test
index b9e908e9944..a4beeaf9161 100644
--- a/mysql-test/t/trigger.test
+++ b/mysql-test/t/trigger.test
@@ -2184,7 +2184,7 @@ DROP TABLE t1;
 DROP TRIGGER t_insert;
 DROP TABLE t2;
 
---echo End of 5.0 tests
+--echo # End of 5.0 tests
 
 #
 # Bug#25411 (trigger code truncated)
@@ -2406,7 +2406,7 @@ let $MYSQLD_DATADIR = `select @@datadir`;
 DROP DATABASE db1;
 USE test;
 
---echo End of 5.1 tests.
+--echo # End of 5.1 tests.
 
 #
 # Test that using a trigger will not open mysql.proc
@@ -2430,7 +2430,7 @@ select * from t1;
 select * from t2;
 drop table t1,t2;
 
---echo End of 5.2 tests.
+--echo # End of 5.2 tests.
 
 --echo #
 --echo # Bug#34453 Can't change size of file (Errcode: 1224)
@@ -2574,7 +2574,7 @@ SELECT c FROM t1;
 DROP TABLE t1;
 
 --echo
---echo End of 5.5 tests.
+--echo # End of 5.5 tests.
 
 --echo #
 --echo # BUG #910083: materialized subquery in a trigger
@@ -2613,7 +2613,7 @@ SET optimizer_switch=@save_optimizer_switch;
 DROP TRIGGER tr;
 DROP TABLE t1, t2;
 
---echo End of 5.3 tests.
+--echo # End of 5.3 tests.
 
 #
 # MDEV-4829 BEFORE INSERT triggers dont issue 1406 error
@@ -2737,3 +2737,26 @@ while ($n)
 --enable_query_log
  
 DROP TABLE t1,t2;
+
+--echo #
+--echo # MDEV-19188 Server Crash When Using a Trigger With A Number of Virtual Columns on INSERT/UPDATE
+--echo #
+
+CREATE TABLE t1 (
+  virt1 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt2 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt3 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt4 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt5 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt6 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt7 INT GENERATED ALWAYS AS (0) VIRTUAL,
+  virt8 INT GENERATED ALWAYS AS (0) VIRTUAL
+);
+INSERT INTO t1 () VALUES ();
+CREATE TRIGGER t1_trigger BEFORE INSERT ON t1 FOR EACH ROW BEGIN END;
+INSERT INTO t1 () VALUES ();
+DROP TABLE t1;
+
+--echo #
+--echo # End of 10.2 tests
+--echo #
diff --git a/sql/sql_trigger.h b/sql/sql_trigger.h
index 9d1c79cc7cf..6e94f348447 100644
--- a/sql/sql_trigger.h
+++ b/sql/sql_trigger.h
@@ -274,7 +274,7 @@ public:
   Field **nullable_fields() { return record0_field; }
   void reset_extra_null_bitmap()
   {
-    size_t null_bytes= (trigger_table->s->stored_fields -
+    size_t null_bytes= (trigger_table->s->fields -
                         trigger_table->s->null_fields + 7)/8;
     bzero(extra_null_bitmap, null_bytes);
   }