Commit 7974805c authored by Chaithra Gopalareddy's avatar Chaithra Gopalareddy

Bug#16119355:PREPARED STATEMENT: READ OF FREED MEMORY WITH STRING CONVERSION FUNCTIONS

Reverting fix for Bug#16119355 in 5.1 as this needs two patches 
from 5.5+ to work for a certain case
parent 2e28a18a
...@@ -1391,13 +1391,6 @@ class Item_func_set_user_var :public Item_func ...@@ -1391,13 +1391,6 @@ class Item_func_set_user_var :public Item_func
:Item_func(b), cached_result_type(INT_RESULT), :Item_func(b), cached_result_type(INT_RESULT),
entry(NULL), entry_thread_id(0), name(a) entry(NULL), entry_thread_id(0), name(a)
{} {}
Item_func_set_user_var(THD *thd, Item_func_set_user_var *item)
:Item_func(thd, item), cached_result_type(item->cached_result_type),
entry(item->entry), entry_thread_id(item->entry_thread_id),
value(item->value), decimal_buff(item->decimal_buff),
null_item(item->null_item), save_result(item->save_result),
name(item->name)
{}
enum Functype functype() const { return SUSERVAR_FUNC; } enum Functype functype() const { return SUSERVAR_FUNC; }
double val_real(); double val_real();
......
...@@ -15779,44 +15779,20 @@ change_to_use_tmp_fields(THD *thd, Item **ref_pointer_array, ...@@ -15779,44 +15779,20 @@ change_to_use_tmp_fields(THD *thd, Item **ref_pointer_array,
res_selected_fields.empty(); res_selected_fields.empty();
res_all_fields.empty(); res_all_fields.empty();
uint border= all_fields.elements - elements; uint i, border= all_fields.elements - elements;
for (uint i= 0; (item= it++); i++) for (i= 0; (item= it++); i++)
{ {
Field *field; Field *field;
if (item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM)
if ((item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM) ||
(item->type() == Item::FUNC_ITEM &&
((Item_func*)item)->functype() == Item_func::SUSERVAR_FUNC))
item_field= item; item_field= item;
else if (item->type() == Item::FIELD_ITEM) else
item_field= item->get_tmp_table_item(thd);
else if (item->type() == Item::FUNC_ITEM &&
((Item_func*)item)->functype() == Item_func::SUSERVAR_FUNC)
{ {
field= item->get_tmp_table_field(); if (item->type() == Item::FIELD_ITEM)
if( field != NULL)
{ {
/* item_field= item->get_tmp_table_item(thd);
Replace "@:=<expression>" with "@:=<tmp table column>". Otherwise, we
would re-evaluate <expression>, and if expression were a subquery, this
would access already-unlocked tables.
*/
Item_func_set_user_var* suv=
new Item_func_set_user_var(thd, (Item_func_set_user_var*) item);
Item_field *new_field= new Item_field(field);
if (!suv || !new_field)
DBUG_RETURN(true); // Fatal error
/*
We are replacing the argument of Item_func_set_user_var after its value
has been read. The argument's null_value should be set by now, so we
must set it explicitly for the replacement argument since the null_value
may be read without any preceeding call to val_*().
*/
new_field->update_null_value();
List<Item> list;
list.push_back(new_field);
suv->set_arguments(list);
item_field= suv;
}
else
item_field= item;
} }
else if ((field= item->get_tmp_table_field())) else if ((field= item->get_tmp_table_field()))
{ {
...@@ -15825,7 +15801,7 @@ change_to_use_tmp_fields(THD *thd, Item **ref_pointer_array, ...@@ -15825,7 +15801,7 @@ change_to_use_tmp_fields(THD *thd, Item **ref_pointer_array,
else else
item_field= (Item*) new Item_field(field); item_field= (Item*) new Item_field(field);
if (!item_field) if (!item_field)
DBUG_RETURN(true); // Fatal error DBUG_RETURN(TRUE); // Fatal error
if (item->real_item()->type() != Item::FIELD_ITEM) if (item->real_item()->type() != Item::FIELD_ITEM)
field->orig_table= 0; field->orig_table= 0;
...@@ -15850,17 +15826,17 @@ change_to_use_tmp_fields(THD *thd, Item **ref_pointer_array, ...@@ -15850,17 +15826,17 @@ change_to_use_tmp_fields(THD *thd, Item **ref_pointer_array,
} }
else else
item_field= item; item_field= item;
}
res_all_fields.push_back(item_field); res_all_fields.push_back(item_field);
ref_pointer_array[((i < border)? all_fields.elements-i-1 : i-border)]= ref_pointer_array[((i < border)? all_fields.elements-i-1 : i-border)]=
item_field; item_field;
} }
List_iterator_fast<Item> itr(res_all_fields); List_iterator_fast<Item> itr(res_all_fields);
for (uint i= 0; i < border; i++) for (i= 0; i < border; i++)
itr++; itr++;
itr.sublist(res_selected_fields, elements); itr.sublist(res_selected_fields, elements);
DBUG_RETURN(false); DBUG_RETURN(FALSE);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment