Commit 017307f2 authored by Davi Arnaut's avatar Davi Arnaut

Bug#38823: Invalid memory access when a SP statement does wildcard expansion

The problem is that field names constructed due to wild-card
expansion done inside a stored procedure could point to freed
memory if the expansion was performed after the first call to
the stored procedure.

The problem was solved by patch for Bug#38691. The solution
was to allocate the database, table and field names in the
in the statement memory instead of table memory.

mysql-test/r/sp.result:
  Add test case result for Bug#38823
mysql-test/t/sp.test:
  Add test case for Bug#38823
sql/item.cc:
  Remark that this also impacts wildcard expansion inside SPs.
parent 9b6347f0
...@@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `str`; ...@@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `str`;
end $ end $
call `p2`('s s s s s s'); call `p2`('s s s s s s');
drop procedure `p2`; drop procedure `p2`;
drop table if exists t1;
drop procedure if exists p1;
create procedure p1() begin select * from t1; end$
call p1$
ERROR 42S02: Table 'test.t1' doesn't exist
create table t1 (a integer)$
call p1$
a
alter table t1 add b integer;
call p1$
a
drop table t1;
drop procedure p1;
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# -- End of 5.0 tests # -- End of 5.0 tests
# ------------------------------------------------------------------ # ------------------------------------------------------------------
...@@ -7836,6 +7836,28 @@ delimiter ;$ ...@@ -7836,6 +7836,28 @@ delimiter ;$
call `p2`('s s s s s s'); call `p2`('s s s s s s');
drop procedure `p2`; drop procedure `p2`;
#
# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
#
--disable_warnings
drop table if exists t1;
drop procedure if exists p1;
--enable_warnings
delimiter $;
create procedure p1() begin select * from t1; end$
--error ER_NO_SUCH_TABLE
call p1$
create table t1 (a integer)$
call p1$
alter table t1 add b integer;
call p1$
delimiter ;$
drop table t1;
drop procedure p1;
--echo # ------------------------------------------------------------------ --echo # ------------------------------------------------------------------
--echo # -- End of 5.0 tests --echo # -- End of 5.0 tests
--echo # ------------------------------------------------------------------ --echo # ------------------------------------------------------------------
...@@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg, ...@@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
be allocated in the statement memory, not in table memory (the table be allocated in the statement memory, not in table memory (the table
structure can go away and pop up again between subsequent executions structure can go away and pop up again between subsequent executions
of a prepared statement or after the close_tables_for_reopen() call of a prepared statement or after the close_tables_for_reopen() call
in mysql_multi_update_prepare()). in mysql_multi_update_prepare() or due to wildcard expansion in stored
procedures).
*/ */
{ {
if (db_name) if (db_name)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment