Bug#42188: crash and/or memory corruption with user variables

in trigger Interchangeable calls to the mysql_change_user client function and invocations of a trigger changing some user variable caused a memory corruption and a crash. The mysql_change_user API call forces TDH::cleanup() on a server that frees user variable entries. However it didn't reset Item_func_set_user_var::entry to NULL because Item_func_set_user_var::cleanup() was not overloaded. So, Item_func_set_user_var::entry held a pointer to freed memory, that caused a crash. The Item_func_set_user_var::cleanup method has been overloaded to cleanup the Item_func_set_user_var::entry field. mysql-test/r/user_var.result: Added test case for bug #42188. mysql-test/t/user_var.test: Added test case for bug #42188. sql/item_func.cc: Bug#42188: crash and/or memory corruption with user variables in trigger The Item_func_set_user_var::cleanup method has been overloaded to cleanup the Item_func_set_user_var::entry field. sql/item_func.h: Bug#42188: crash and/or memory corruption with user variables in trigger The Item_func_set_user_var::cleanup method has been overloaded to cleanup the Item_func_set_user_var::entry field.

Bug#42188: crash and/or memory corruption with user variables
in trigger Interchangeable calls to the mysql_change_user client function and invocations of a trigger changing some user variable caused a memory corruption and a crash. The mysql_change_user API call forces TDH::cleanup() on a server that frees user variable entries. However it didn't reset Item_func_set_user_var::entry to NULL because Item_func_set_user_var::cleanup() was not overloaded. So, Item_func_set_user_var::entry held a pointer to freed memory, that caused a crash. The Item_func_set_user_var::cleanup method has been overloaded to cleanup the Item_func_set_user_var::entry field. mysql-test/r/user_var.result: Added test case for bug #42188. mysql-test/t/user_var.test: Added test case for bug #42188. sql/item_func.cc: Bug#42188: crash and/or memory corruption with user variables in trigger The Item_func_set_user_var::cleanup method has been overloaded to cleanup the Item_func_set_user_var::entry field. sql/item_func.h: Bug#42188: crash and/or memory corruption with user variables in trigger The Item_func_set_user_var::cleanup method has been overloaded to cleanup the Item_func_set_user_var::entry field.
f9fd9801 · Gleb Shchepa · ded9e6ec · f9fd9801 · f9fd9801 · f9fd9801
Commit f9fd9801 authored Jan 23, 2009 by Gleb Shchepa
Showing with 24 additions and 0 deletions

mysql-test/r/user_var.result mysql-test/r/user_var.result +5 -0

mysql-test/t/user_var.test mysql-test/t/user_var.test +11 -0

sql/item_func.cc sql/item_func.cc +7 -0

sql/item_func.h sql/item_func.h +1 -0

No files found.
--- a/mysql-test/r/user_var.result
+++ b/mysql-test/r/user_var.result
@@ -399,4 +399,9 @@ select @lastid != id, @lastid, @lastid := id from t1;
 0	3	3
 1	3	4
 drop table t1;
+CREATE TABLE t1 (i INT);
+CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
+INSERT INTO t1 VALUES (1);
+INSERT INTO t1 VALUES (1);
+DROP TABLE t1;
 End of 5.1 tests
--- a/mysql-test/t/user_var.test
+++ b/mysql-test/t/user_var.test
@@ -285,4 +285,15 @@ set @lastid=-1;
 select @lastid != id, @lastid, @lastid := id from t1;
 drop table t1;
+#
+# Bug#42188: crash and/or memory corruption with user variables in trigger
+#
+CREATE TABLE t1 (i INT);
+CREATE TRIGGER t_after_insert AFTER INSERT ON t1 FOR EACH ROW SET @bug42188 = 10;
+INSERT INTO t1 VALUES (1);
+--change_user
+INSERT INTO t1 VALUES (1);
+DROP TABLE t1;
 --echo End of 5.1 tests
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -3808,6 +3808,13 @@ static user_var_entry *get_variable(HASH *hash, LEX_STRING &name,
 }
+void Item_func_set_user_var::cleanup()
+{
+  Item_func::cleanup();
+  entry= NULL;
+}
 bool Item_func_set_user_var::set_entry(THD *thd, bool create_if_not_exists)
 {
  if (entry && thd->thread_id == entry_thread_id)

--- a/sql/item_func.h
+++ b/sql/item_func.h
@@ -1357,6 +1357,7 @@ class Item_func_set_user_var :public Item_func
  void save_org_in_field(Field *field) { (void)save_in_field(field, 1, 0); }
  bool register_field_in_read_map(uchar *arg);
  bool set_entry(THD *thd, bool create_if_not_exists);
+  void cleanup();
 };