From 84de3b930bcae8af7a7b5613dd8be514afbb8661 Mon Sep 17 00:00:00 2001
From: Sergey Glukhov <Sergey.Glukhov@sun.com>
Date: Wed, 10 Dec 2008 18:13:11 +0400
Subject: [PATCH] Bug#37956 memory leak and / or crash with geometry and
 prepared statements! Bug#37671 crash on prepared statement + cursor +
 geometry + too many open files! if mysql_execute_command() returns error then
 free materialized_cursor object. is_rnd_inited is added to satisfy rnd_end()
 assertion (handler may be uninitialized in some cases)

sql/sql_cursor.cc:
  if mysql_execute_command() returns error then free materialized_cursor object.
  is_rnd_inited is added to satisfy rnd_end() assertion
  (handler may be uninitialized in some cases)
sql/sql_select.cc:
  added result check
tests/mysql_client_test.c:
  test case
---
 sql/sql_cursor.cc         | 18 +++++++++----
 sql/sql_select.cc         |  7 +++--
 tests/mysql_client_test.c | 54 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 7 deletions(-)

diff --git a/sql/sql_cursor.cc b/sql/sql_cursor.cc
index 16567765ba..83c60814cf 100644
--- a/sql/sql_cursor.cc
+++ b/sql/sql_cursor.cc
@@ -85,6 +85,7 @@ class Materialized_cursor: public Server_side_cursor
   List<Item> item_list;
   ulong fetch_limit;
   ulong fetch_count;
+  bool is_rnd_inited;
 public:
   Materialized_cursor(select_result *result, TABLE *table);
 
@@ -191,7 +192,11 @@ int mysql_open_cursor(THD *thd, uint flags, select_result *result,
       such command is SHOW VARIABLES or SHOW STATUS.
   */
   if (rc)
+  {
+    if (result_materialize->materialized_cursor)
+      delete result_materialize->materialized_cursor;
     goto err_open;
+  }
 
   if (sensitive_cursor->is_open())
   {
@@ -532,7 +537,8 @@ Materialized_cursor::Materialized_cursor(select_result *result_arg,
   :Server_side_cursor(&table_arg->mem_root, result_arg),
   table(table_arg),
   fetch_limit(0),
-  fetch_count(0)
+  fetch_count(0),
+  is_rnd_inited(0)
 {
   fake_unit.init_query();
   fake_unit.thd= table->in_use;
@@ -589,11 +595,12 @@ int Materialized_cursor::open(JOIN *join __attribute__((unused)))
   THD *thd= fake_unit.thd;
   int rc;
   Query_arena backup_arena;
-
   thd->set_n_backup_active_arena(this, &backup_arena);
   /* Create a list of fields and start sequential scan */
-  rc= (result->prepare(item_list, &fake_unit) ||
-       table->file->ha_rnd_init(TRUE));
+  rc= result->prepare(item_list, &fake_unit);
+  if (!rc && !(rc= table->file->ha_rnd_init(TRUE)))
+    is_rnd_inited= 1;
+
   thd->restore_active_arena(this, &backup_arena);
   if (rc == 0)
   {
@@ -673,7 +680,8 @@ void Materialized_cursor::close()
 {
   /* Free item_list items */
   free_items();
-  (void) table->file->ha_rnd_end();
+  if (is_rnd_inited)
+    (void) table->file->ha_rnd_end();
   /*
     We need to grab table->mem_root to prevent free_tmp_table from freeing:
     the cursor object was allocated in this memory.
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 48276170ca..d2c469f99d 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -1599,8 +1599,11 @@ JOIN::exec()
 		      (zero_result_cause?zero_result_cause:"No tables used"));
     else
     {
-      result->send_fields(*columns_list,
-                          Protocol::SEND_NUM_ROWS | Protocol::SEND_EOF);
+      if (result->send_fields(*columns_list,
+                              Protocol::SEND_NUM_ROWS | Protocol::SEND_EOF))
+      {
+        DBUG_VOID_RETURN;
+      }
       /*
         We have to test for 'conds' here as the WHERE may not be constant
         even if we don't have any tables for prepared statements or if
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
index ee3a053f8b..ea4d363bda 100644
--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@@ -15899,6 +15899,59 @@ static void test_bug28934()
 }
 
 
+/**
+  Bug#37956 memory leak and / or crash with geometry and prepared statements! 
+*/
+
+static void test_bug37956(void)
+{
+  const char *query="select point(?,?)";
+  MYSQL_STMT *stmt=NULL;
+  unsigned int val=0;
+  MYSQL_BIND bind_param[2];
+  unsigned char buff[2]= { 134, 211 };
+  DBUG_ENTER("test_bug37956");
+  myheader("test_bug37956");
+
+  stmt= mysql_simple_prepare(mysql, query);
+  check_stmt(stmt);
+
+  val=1;
+  mysql_stmt_attr_set(stmt, STMT_ATTR_UPDATE_MAX_LENGTH, (void *)&val);
+  val=CURSOR_TYPE_READ_ONLY;
+  mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (void *)&val);
+  val=0;
+  mysql_stmt_attr_set(stmt, STMT_ATTR_PREFETCH_ROWS, (void *)&val);
+
+  memset(bind_param, 0, sizeof(bind_param));
+  bind_param[0].buffer_type=MYSQL_TYPE_TINY;
+  bind_param[0].buffer= (void *)buff;
+  bind_param[0].is_null=NULL;
+  bind_param[0].error=NULL;
+  bind_param[0].is_unsigned=1;
+  bind_param[1].buffer_type=MYSQL_TYPE_TINY;
+  bind_param[1].buffer= (void *)(buff+1);
+  bind_param[1].is_null=NULL;
+  bind_param[1].error=NULL;
+  bind_param[1].is_unsigned=1;
+
+  if (mysql_stmt_bind_param(stmt, bind_param))
+  {
+    mysql_stmt_close(stmt);
+    DIE_UNLESS(0);
+  }
+
+  if (mysql_stmt_execute(stmt))
+  {
+    mysql_stmt_close(stmt);
+    DBUG_VOID_RETURN;
+  }
+  /* Should never reach here: execution returns an error. */
+  mysql_stmt_close(stmt);
+  DIE_UNLESS(0);
+  DBUG_VOID_RETURN;
+}
+
 /*
   Bug#27592 (stack overrun when storing datetime value using prepared statements)
 */
@@ -16595,6 +16648,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug32265", test_bug32265 },
   { "test_bug38486", test_bug38486 },
   { "test_bug40365", test_bug40365 },
+  { "test_bug37956", test_bug37956 },
   { 0, 0 }
 };
 
-- 
2.30.9