MDEV-15444 Querying I_S.PARAMETERS can crash with a corrupted mysql.proc

88a9d4ab · Alexander Barkov · 4025cfae · 88a9d4ab · 88a9d4ab · 88a9d4ab
Commit 88a9d4ab authored Mar 02, 2018 by Alexander Barkov
Showing with 112 additions and 5 deletions

mysql-test/r/sp-destruct.result mysql-test/r/sp-destruct.result +57 -0

mysql-test/t/sp-destruct.test mysql-test/t/sp-destruct.test +35 -0

sql/sp.h sql/sp.h +12 -0

sql/sql_show.cc sql/sql_show.cc +8 -5

No files found.
--- a/mysql-test/r/sp-destruct.result
+++ b/mysql-test/r/sp-destruct.result
@@ -171,3 +171,60 @@ create database mysqltest1;
 create procedure mysqltest1.foo() select "foo";
 update mysql.proc set name='' where db='mysqltest1';
 drop database mysqltest1;
+#
+# MDEV-15444 Querying I_S.PARAMETERS can crash with a corrupted mysql.proc
+#
+CREATE OR REPLACE FUNCTION f1 (a INT) RETURNS INT RETURN 10;
+CREATE OR REPLACE FUNCTION f2 (a INT) RETURNS INT RETURN 10;
+SELECT
+@type0:=COLUMN_TYPE AS t0,
+@type1:=REPLACE(COLUMN_TYPE,')',',''XXX'')') AS t1
+FROM INFORMATION_SCHEMA.COLUMNS
+WHERE table_schema='mysql' AND table_name='proc' AND column_name='type';
+t0	enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY')
+t1	enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY','XXX')
+EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type1);
+SHOW COLUMNS IN mysql.proc LIKE 'type';
+Field	Type	Null	Key	Default	Extra
+type	enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY','XXX')	NO	PRI	NULL	
+UPDATE mysql.proc SET type='XXX' WHERE name='f1' AND db='test';
+SELECT * FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='test';
+SPECIFIC_CATALOG	def
+SPECIFIC_SCHEMA	test
+SPECIFIC_NAME	f2
+ORDINAL_POSITION	0
+PARAMETER_MODE	NULL
+PARAMETER_NAME	NULL
+DATA_TYPE	int
+CHARACTER_MAXIMUM_LENGTH	NULL
+CHARACTER_OCTET_LENGTH	NULL
+NUMERIC_PRECISION	10
+NUMERIC_SCALE	0
+DATETIME_PRECISION	NULL
+CHARACTER_SET_NAME	NULL
+COLLATION_NAME	NULL
+DTD_IDENTIFIER	int(11)
+ROUTINE_TYPE	FUNCTION
+SPECIFIC_CATALOG	def
+SPECIFIC_SCHEMA	test
+SPECIFIC_NAME	f2
+ORDINAL_POSITION	1
+PARAMETER_MODE	IN
+PARAMETER_NAME	a
+DATA_TYPE	int
+CHARACTER_MAXIMUM_LENGTH	NULL
+CHARACTER_OCTET_LENGTH	NULL
+NUMERIC_PRECISION	10
+NUMERIC_SCALE	0
+DATETIME_PRECISION	NULL
+CHARACTER_SET_NAME	NULL
+COLLATION_NAME	NULL
+DTD_IDENTIFIER	int(11)
+ROUTINE_TYPE	FUNCTION
+UPDATE mysql.proc SET type='FUNCTION' WHERE name='f1' AND db='test';
+EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type0);
+SHOW COLUMNS IN mysql.proc LIKE 'type';
+Field	Type	Null	Key	Default	Extra
+type	enum('FUNCTION','PROCEDURE','PACKAGE','PACKAGE BODY')	NO	PRI	NULL	
+DROP FUNCTION f1;
+DROP FUNCTION f2;
--- a/mysql-test/t/sp-destruct.test
+++ b/mysql-test/t/sp-destruct.test
@@ -285,3 +285,38 @@ create database mysqltest1;
 create procedure mysqltest1.foo() select "foo";
 update mysql.proc set name='' where db='mysqltest1';
 drop database mysqltest1;
+
+
+--echo #
+--echo # MDEV-15444 Querying I_S.PARAMETERS can crash with a corrupted mysql.proc
+--echo #
+
+CREATE OR REPLACE FUNCTION f1 (a INT) RETURNS INT RETURN 10;
+CREATE OR REPLACE FUNCTION f2 (a INT) RETURNS INT RETURN 10;
+
+# Get the current data type for mysql.proc.type
+--vertical_results
+SELECT
+  @type0:=COLUMN_TYPE AS t0,
+  @type1:=REPLACE(COLUMN_TYPE,')',',''XXX'')') AS t1
+   FROM INFORMATION_SCHEMA.COLUMNS
+WHERE table_schema='mysql' AND table_name='proc' AND column_name='type';
+--horizontal_results
+
+# Change mysql.proc.type and update the record for 'f1'
+EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type1);
+SHOW COLUMNS IN mysql.proc LIKE 'type';
+UPDATE mysql.proc SET type='XXX' WHERE name='f1' AND db='test';
+
+# Check the I_S query
+--vertical_results
+SELECT * FROM INFORMATION_SCHEMA.PARAMETERS WHERE SPECIFIC_SCHEMA='test';
+--horizontal_results
+
+# Restore the record for 'f1' and restore mysql.proc.type
+UPDATE mysql.proc SET type='FUNCTION' WHERE name='f1' AND db='test';
+EXECUTE IMMEDIATE CONCAT('ALTER TABLE mysql.proc MODIFY type ', @type0);
+SHOW COLUMNS IN mysql.proc LIKE 'type';
+
+DROP FUNCTION f1;
+DROP FUNCTION f2;
--- a/sql/sp.h
+++ b/sql/sp.h
@@ -122,6 +122,16 @@ class Sp_handler
  static const Sp_handler *handler(enum enum_sql_command cmd);
  static const Sp_handler *handler(stored_procedure_type type);
  static const Sp_handler *handler(MDL_key::enum_mdl_namespace ns);
+  /*
+    Return a handler only those SP objects that store
+    definitions in the mysql.proc system table
+  */
+  static const Sp_handler *handler_mysql_proc(stored_procedure_type type)
+  {
+    const Sp_handler *sph= handler(type);
+    return sph ? sph->sp_handler_mysql_proc() : NULL;
+  }
+
  static bool eq_routine_name(const LEX_CSTRING &name1,
                              const LEX_CSTRING &name2)
  {
@@ -153,6 +163,7 @@ class Sp_handler
    return m_empty_body;
  }
  virtual MDL_key::enum_mdl_namespace get_mdl_type() const= 0;
+  virtual const Sp_handler *sp_handler_mysql_proc() const { return this; }
  virtual sp_cache **get_cache(THD *) const { return NULL; }
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
  virtual HASH *get_priv_hash() const { return NULL; }
@@ -434,6 +445,7 @@ class Sp_handler_trigger: public Sp_handler
    DBUG_ASSERT(0);
    return MDL_key::TRIGGER;
  }
+  const Sp_handler *sp_handler_mysql_proc() const { return NULL; }
 };



--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -6155,9 +6155,11 @@ bool store_schema_params(THD *thd, TABLE *table, TABLE *proc_table,
  proc_table->field[MYSQL_PROC_FIELD_NAME]->val_str_nopad(thd->mem_root, &name);
  proc_table->field[MYSQL_PROC_FIELD_DEFINER]->val_str_nopad(thd->mem_root, &definer);
  sql_mode= (sql_mode_t) proc_table->field[MYSQL_PROC_FIELD_SQL_MODE]->val_int();
-  sph= Sp_handler::handler((stored_procedure_type) proc_table->field[MYSQL_PROC_MYSQL_TYPE]->val_int());
+  sph= Sp_handler::handler_mysql_proc((stored_procedure_type)
+                                      proc_table->field[MYSQL_PROC_MYSQL_TYPE]->
+                                      val_int());
  if (!sph)
-    sph= &sp_handler_procedure;
+    DBUG_RETURN(0);

  if (!full_access)
    full_access= !strcmp(sp_user, definer.str);
@@ -6265,10 +6267,11 @@ bool store_schema_proc(THD *thd, TABLE *table, TABLE *proc_table,
  proc_table->field[MYSQL_PROC_FIELD_DB]->val_str_nopad(thd->mem_root, &db);
  proc_table->field[MYSQL_PROC_FIELD_NAME]->val_str_nopad(thd->mem_root, &name);
  proc_table->field[MYSQL_PROC_FIELD_DEFINER]->val_str_nopad(thd->mem_root, &definer);
-  sph= Sp_handler::handler((stored_procedure_type)
-                           proc_table->field[MYSQL_PROC_MYSQL_TYPE]->val_int());
+  sph= Sp_handler::handler_mysql_proc((stored_procedure_type)
+                                      proc_table->field[MYSQL_PROC_MYSQL_TYPE]->
+                                      val_int());
  if (!sph)
-    sph= &sp_handler_procedure;
+    return 0;

  if (!full_access)
    full_access= !strcmp(sp_user, definer.str);