#At file:///data0/martin/bzrroot/bug58207/5.1bt-minimal_fix/ based on revid:bjorn.munch@stripped
3515 Martin Hansson 2010-12-10
Bug#58207: invalid memory reads when using default column value and
tmptable needed
The function DEFAULT() works by modifying the the data buffer pointers (often
referred to as 'record' or 'table record') of its argument. This modification
is done during name resolution (fix_fields().) Here, the pointers are set to
point into a buffer of default values by means of offsetting the pointer by
the distance between the buffers' start addresses. Unfortunately, the same
modification is done when creating a temporary table during optimization. At
this point the Item may or may not be name-resolved. If it is, the bespoke
pointer offsetting method is fragile enough to point into an undefined memory
area, giving rise to everything from valgrind warnings to segmentation faults.
Fixed by checking if an Item is name-resolved before modifying the pointers.
modified:
mysql-test/r/subselect4.result
mysql-test/t/subselect4.test
sql/sql_select.cc
=== modified file 'mysql-test/r/subselect4.result'
--- a/mysql-test/r/subselect4.result 2010-09-07 09:21:09 +0000
+++ b/mysql-test/r/subselect4.result 2010-12-10 10:30:29 +0000
@@ -164,5 +164,24 @@ a b
2 NULL
DROP TABLE t1, t2, t3, t4, t5;
#
+# Bug#58207: invalid memory reads when using default column value and
+# tmptable needed
+#
+CREATE TABLE t1( a CHAR(1) DEFAULT 'a' );
+CREATE TABLE t2( a CHAR(245) DEFAULT 'a' );
+INSERT INTO t1 VALUES ('b'), ('c');
+INSERT INTO t2 VALUES ('b'), ('c');
+# Caused crash in valgrind builds
+SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11;
+DEFAULT(a)
+a
+a
+# Should not cause valgrind error
+SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21;
+b
+a
+a
+DROP TABLE t1, t2;
+#
# End of 5.1 tests.
#
=== modified file 'mysql-test/t/subselect4.test'
--- a/mysql-test/t/subselect4.test 2010-09-07 09:21:09 +0000
+++ b/mysql-test/t/subselect4.test 2010-12-10 10:30:29 +0000
@@ -136,6 +136,23 @@ SELECT * FROM t1 WHERE NULL NOT IN ( SEL
DROP TABLE t1, t2, t3, t4, t5;
+--echo #
+--echo # Bug#58207: invalid memory reads when using default column value and
+--echo # tmptable needed
+--echo #
+CREATE TABLE t1( a CHAR(1) DEFAULT 'a' );
+CREATE TABLE t2( a CHAR(245) DEFAULT 'a' );
+
+INSERT INTO t1 VALUES ('b'), ('c');
+INSERT INTO t2 VALUES ('b'), ('c');
+
+--echo # Caused crash in valgrind builds
+SELECT * FROM (SELECT DEFAULT(a) FROM t1) t11;
+
+--echo # Should not cause valgrind error
+SELECT * FROM (SELECT DEFAULT(a) AS b FROM t2 GROUP BY a) t21;
+
+DROP TABLE t1, t2;
--echo #
--echo # End of 5.1 tests.
=== modified file 'sql/sql_select.cc'
--- a/sql/sql_select.cc 2010-11-26 12:51:48 +0000
+++ b/sql/sql_select.cc 2010-12-10 10:30:29 +0000
@@ -10207,6 +10207,15 @@ create_tmp_table(THD *thd,TMP_TABLE_PARA
item->marker == 4, force_copy_fields,
param->convert_blob_length);
+ /*
+ Fields that are used as arguments to the DEFAULT() function have their
+ data pointers set to the default value during name resulotion. If by
+ any chance they have been resolved at this stage (e.g. if they appear
+ in a subquery) we should not update these pointers.
+ */
+ if (item->type() == Item::DEFAULT_VALUE_ITEM && item->fixed)
+ default_field[fieldnr]= NULL;
+
if (!new_field)
{
if (thd->is_fatal_error)
Attachment: [text/bzr-bundle] bzr/martin.hansson@oracle.com-20101210103029-adlfw1s9a394goc0.bundle
| Thread |
|---|
| • bzr commit into mysql-5.1-bugteam branch (martin.hansson:3515) Bug#58207 | Martin Hansson | 10 Dec |
