MDEV-15746 ASAN heap-use-after-free in...

MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS don't try to convert a default value string from a user character set into a column character set, if this particular default value string did not came from the user at all (that is, if it's an ALTER TABLE and the default value string is the *old* default value of the unaltered column). This used to crash, because old defaults are allocated on the old table's memroot, which is freed mid-ALTER when the old table is closed. So thd->rollback_item_tree_changes() at the end of the ALTER was writing into the freed memory.

MDEV-15746 ASAN heap-use-after-free in...
MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS don't try to convert a default value string from a user character set into a column character set, if this particular default value string did not came from the user at all (that is, if it's an ALTER TABLE and the default value string is the *old* default value of the unaltered column). This used to crash, because old defaults are allocated on the old table's memroot, which is freed mid-ALTER when the old table is closed. So thd->rollback_item_tree_changes() at the end of the ALTER was writing into the freed memory.
92a13148 · Sergei Golubchik · 88a0bb83 · 92a13148 · 92a13148 · 92a13148
Commit 92a13148 authored Apr 16, 2018 by Sergei Golubchik
Show whitespace changes
Inline Side-by-side

Showing with 28 additions and 0 deletions

mysql-test/r/ps.result mysql-test/r/ps.result +11 -0

mysql-test/t/ps.test mysql-test/t/ps.test +15 -0

sql/sql_table.cc sql/sql_table.cc +2 -0

No files found.
--- a/mysql-test/r/ps.result
+++ b/mysql-test/r/ps.result
@@ -5163,3 +5163,14 @@ END;
 $$
 CALL p1('x');
 DROP PROCEDURE p1;
+create table t1 (b blob default '');
+prepare stmt from "alter table t1 force";
+execute stmt;
+execute stmt;
+execute stmt;
+set names latin1;
+prepare stmt from "alter table t1 modify b text character set utf8 default 'a'";
+execute stmt;
+execute stmt;
+execute stmt;
+drop table t1;
--- a/mysql-test/t/ps.test
+++ b/mysql-test/t/ps.test
@@ -4635,3 +4635,18 @@ DELIMITER ;$$
 --disable_result_log
 CALL p1('x');
 DROP PROCEDURE p1;
+
+#
+# MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS
+#
+create table t1 (b blob default '');
+prepare stmt from "alter table t1 force";
+execute stmt;
+execute stmt;
+execute stmt;
+set names latin1;
+prepare stmt from "alter table t1 modify b text character set utf8 default 'a'";
+execute stmt;
+execute stmt;
+execute stmt;
+drop table t1;
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -3378,6 +3378,8 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info,
    */
    if (sql_field->default_value &&
        sql_field->default_value->expr->basic_const_item() &&
+        (!sql_field->field ||
+         sql_field->field->default_value != sql_field->default_value) &&
        save_cs != sql_field->default_value->expr->collation.collation &&
        (sql_field->sql_type == MYSQL_TYPE_VAR_STRING ||
         sql_field->sql_type == MYSQL_TYPE_STRING ||