Commit 0e793eda authored by Gleb Shchepa's avatar Gleb Shchepa

Bug #57187: more user variable fun with multiple

            assignments and comparison in query

A query that compares assignments of the same
user variable caused Valgrind warnings: access
to freed memory region.

In case of a DECIMAL argument the assignment
operator (:=) may return a pointer to a stored
value instead of its copy when evaluated.
The next assignment to the same variable may:
 a) overwrite the stored value with a new one
    and return the same pointer or even
 b) reallocate stored value.

Thus, if we evaluate an assignment and keep
the result pointer and then evaluate another
assignment to the same variable, then the
kept result pointer of the first assignment
will point to unexpectedly changed data or
it may be a dead pointer.

That may cause wrong data or crash.

The user_var_entry::val_decimal method has
been modified to copy user variable data.


mysql-test/r/user_var.result:
  Test case for bug #57187.
mysql-test/t/user_var.test:
  Test case for bug #57187.
sql/item_func.cc:
  Bug #57187: more user variable fun with multiple
              assignments and comparison in query
  
  The user_var_entry::val_decimal method has
  been modified to copy user variable data.
parent 4edeea2b
......@@ -450,4 +450,10 @@ DROP TABLE t1;
select @v:=@v:=sum(1) from dual;
@v:=@v:=sum(1)
1
CREATE TABLE t1(a DECIMAL(31,21));
INSERT INTO t1 VALUES (0);
SELECT (@v:=a) <> (@v:=1) FROM t1;
(@v:=a) <> (@v:=1)
1
DROP TABLE t1;
End of 5.1 tests
......@@ -353,4 +353,16 @@ DROP TABLE t1;
select @v:=@v:=sum(1) from dual;
#
# Bug #57187: more user variable fun with multiple assignments and
# comparison in query
#
CREATE TABLE t1(a DECIMAL(31,21));
INSERT INTO t1 VALUES (0);
SELECT (@v:=a) <> (@v:=1) FROM t1;
DROP TABLE t1;
--echo End of 5.1 tests
......@@ -4064,7 +4064,7 @@ my_decimal *user_var_entry::val_decimal(my_bool *null_value, my_decimal *val)
int2my_decimal(E_DEC_FATAL_ERROR, *(longlong*) value, 0, val);
break;
case DECIMAL_RESULT:
val= (my_decimal *)value;
my_decimal2decimal((my_decimal *) value, val);
break;
case STRING_RESULT:
str2my_decimal(E_DEC_FATAL_ERROR, value, length, collation.collation, val);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment