Commit 33a09cdc authored by Gleb Shchepa's avatar Gleb Shchepa

Bug#42188: crash and/or memory corruption with user variables

           in trigger

Interchangeable calls to the mysql_change_user client function
and invocations of a trigger changing some user variable caused
a memory corruption and a crash.

The mysql_change_user API call forces TDH::cleanup() on a server
that frees user variable entries.
However it didn't reset Item_func_set_user_var::entry to NULL
because Item_func_set_user_var::cleanup() was not overloaded.
So, Item_func_set_user_var::entry held a pointer to freed memory,
that caused a crash.

The Item_func_set_user_var::cleanup method has been overloaded
to cleanup the Item_func_set_user_var::entry field.
parent a27a91ca
......@@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid := id from t1;
0 3 3
1 3 4
drop table t1;
CREATE TABLE t1 (i INT);
CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
INSERT INTO t1 VALUES (1);
INSERT INTO t1 VALUES (1);
DROP TABLE t1;
End of 5.1 tests
......@@ -285,4 +285,15 @@ set @lastid=-1;
select @lastid != id, @lastid, @lastid := id from t1;
drop table t1;
#
# Bug#42188: crash and/or memory corruption with user variables in trigger
#
CREATE TABLE t1 (i INT);
CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
INSERT INTO t1 VALUES (1);
--change_user
INSERT INTO t1 VALUES (1);
DROP TABLE t1;
--echo End of 5.1 tests
......@@ -3808,6 +3808,13 @@ static user_var_entry *get_variable(HASH *hash, LEX_STRING &name,
}
void Item_func_set_user_var::cleanup()
{
Item_func::cleanup();
entry= NULL;
}
bool Item_func_set_user_var::set_entry(THD *thd, bool create_if_not_exists)
{
if (entry && thd->thread_id == entry_thread_id)
......
......@@ -1357,6 +1357,7 @@ public:
void save_org_in_field(Field *field) { (void)save_in_field(field, 1, 0); }
bool register_field_in_read_map(uchar *arg);
bool set_entry(THD *thd, bool create_if_not_exists);
void cleanup();
};
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment