Fixed some possible usage of freed memory

- Create_tmp_table::finalize didn't clear file after delete which could cause a double free. This is however not a likely problem as this code path is very unlikely to happen - free_tmp_table() could do handler calls even if the table was never opened. Fixed by adding a test if the table is opened.

Fixed some possible usage of freed memory
- Create_tmp_table::finalize didn't clear file after delete which could cause a double free. This is however not a likely problem as this code path is very unlikely to happen - free_tmp_table() could do handler calls even if the table was never opened. Fixed by adding a test if the table is opened.
9a60e89a · Monty · 76b58c2a · 9a60e89a
Commit 9a60e89a authored Dec 14, 2020 by Monty
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 5 deletions

sql/sql_select.cc sql/sql_select.cc +9 -5

No files found.
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -18675,6 +18675,7 @@ bool Create_tmp_table::finalize(THD *thd,
  if (table->file->set_ha_share_ref(&share->ha_share))
  {
    delete table->file;
+    table->file= 0;
    goto err;
  }
  table->file->set_table(table);
@@ -19913,11 +19914,14 @@ free_tmp_table(THD *thd, TABLE *entry)
  if (entry->file && entry->is_created())
  {
-    DBUG_ASSERT(entry->db_stat);
+    if (entry->db_stat)
-    entry->file->ha_index_or_rnd_end();
+    {
-    entry->file->info(HA_STATUS_VARIABLE);
+      /* The table was properly opened in open_tmp_table() */
-    thd->tmp_tables_size+= (entry->file->stats.data_file_length +
+      entry->file->ha_index_or_rnd_end();
-                            entry->file->stats.index_file_length);
+      entry->file->info(HA_STATUS_VARIABLE);
+      thd->tmp_tables_size+= (entry->file->stats.data_file_length +
+                              entry->file->stats.index_file_length);
+    }
    entry->file->ha_drop_table(entry->s->path.str);
    delete entry->file;
  }