• Gleb Shchepa's avatar
    Bug#42188: crash and/or memory corruption with user variables · 93991b6b
    Gleb Shchepa authored
               in trigger
    
    Interchangeable calls to the mysql_change_user client function
    and invocations of a trigger changing some user variable caused
    a memory corruption and a crash.
    
    The mysql_change_user API call forces TDH::cleanup() on a server
    that frees user variable entries.
    However it didn't reset Item_func_set_user_var::entry to NULL
    because Item_func_set_user_var::cleanup() was not overloaded.
    So, Item_func_set_user_var::entry held a pointer to freed memory,
    that caused a crash.
    
    The Item_func_set_user_var::cleanup method has been overloaded
    to cleanup the Item_func_set_user_var::entry field.
    
    
    mysql-test/r/user_var.result:
      Added test case for bug #42188.
    mysql-test/t/user_var.test:
      Added test case for bug #42188.
    sql/item_func.cc:
      Bug#42188: crash and/or memory corruption with user variables
                 in trigger
      
      The Item_func_set_user_var::cleanup method has been overloaded
      to cleanup the Item_func_set_user_var::entry field.
    sql/item_func.h:
      Bug#42188: crash and/or memory corruption with user variables
                 in trigger
      
      The Item_func_set_user_var::cleanup method has been overloaded
      to cleanup the Item_func_set_user_var::entry field.
    93991b6b
user_var.test 8.54 KB