1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug #57187: more user variable fun with multiple

Browse Source 
assignments and comparison in query

A query that compares assignments of the same
user variable caused Valgrind warnings: access
to freed memory region.

In case of a DECIMAL argument the assignment
operator (:=) may return a pointer to a stored
value instead of its copy when evaluated.
The next assignment to the same variable may:
 a) overwrite the stored value with a new one
    and return the same pointer or even
 b) reallocate stored value.

Thus, if we evaluate an assignment and keep
the result pointer and then evaluate another
assignment to the same variable, then the
kept result pointer of the first assignment
will point to unexpectedly changed data or
it may be a dead pointer.

That may cause wrong data or crash.

The user_var_entry::val_decimal method has
been modified to copy user variable data.


mysql-test/r/user_var.result:
  Test case for bug #57187.
mysql-test/t/user_var.test:
  Test case for bug #57187.
sql/item_func.cc:
  Bug #57187: more user variable fun with multiple
              assignments and comparison in query
  
  The user_var_entry::val_decimal method has
  been modified to copy user variable data.
This commit is contained in:
Gleb Shchepa 2010-12-06 23:38:31 +03:00
parent 6428e19684
commit e5a88caf08
3 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
mysql-test/r/user_var.result
View File

@ -450,4 +450,10 @@ DROP TABLE t1;
select @v:=@v:=sum(1) from dual;
@v:=@v:=sum(1)
1
CREATE TABLE t1(a DECIMAL(31,21));
INSERT INTO t1 VALUES (0);
SELECT (@v:=a) <> (@v:=1) FROM t1;
(@v:=a) <> (@v:=1)
1
DROP TABLE t1;
End of 5.1 tests

12
mysql-test/t/user_var.test
View File

@ -353,4 +353,16 @@ DROP TABLE t1;
select @v:=@v:=sum(1) from dual;
#
# Bug #57187: more user variable fun with multiple assignments and
# comparison in query
#
CREATE TABLE t1(a DECIMAL(31,21));
INSERT INTO t1 VALUES (0);
SELECT (@v:=a) <> (@v:=1) FROM t1;
DROP TABLE t1;
--echo End of 5.1 tests

2
sql/item_func.cc
View File

@ -4064,7 +4064,7 @@ my_decimal *user_var_entry::val_decimal(my_bool *null_value, my_decimal *val)
int2my_decimal(E_DEC_FATAL_ERROR, *(longlong*) value, 0, val);
break;
case DECIMAL_RESULT:
val= (my_decimal *)value;
my_decimal2decimal((my_decimal *) value, val);
break;
case STRING_RESULT:
str2my_decimal(E_DEC_FATAL_ERROR, value, length, collation.collation, val);