From: Date: July 7 2008 9:58am
Subject: bzr commit into mysql-5.0 branch (mats:2642) Bug#37150
List-Archive: http://lists.mysql.com/commits/49062
X-Bug: 37150
Message-Id: <20080707075836.343665BE32@mats-laptop>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

#At file:///home/bzr/b37150-mysql-5.0-bugteam/

 2642 Mats Kindahl	2008-07-07
      Bug #37150  	Risk for crash in User_var_log_event::exec_event()
      
      On certain kinds of errors (e.g., out of stack), a call to Item_func_
      set_user_var::fix_fields() might fail.  Since the return value of this
      call was not checked inside User_var_log_event::exec_event(), continuing
      execution after this will cause a crash inside Item_func_set_user_var::
      update_hash().
      
      The bug is fixed by aborting execution of the event with an error if
      fix_fields() fails, since it is not possible to continue execution anyway.
modified:
  sql/log_event.cc

per-file messages:
  sql/log_event.cc
    Aborting execution of event if fix_fields() fails since execution
    of update_hash() might cause a crash.
=== modified file 'sql/log_event.cc'
--- a/sql/log_event.cc	2008-03-18 12:38:12 +0000
+++ b/sql/log_event.cc	2008-07-07 07:58:27 +0000
@@ -4154,8 +4154,14 @@ int User_var_log_event::exec_event(struc
   /*
     Item_func_set_user_var can't substitute something else on its place =>
     0 can be passed as last argument (reference on item)
+
+    Fix_fields() can fail, in which case a call of update_hash() might
+    crash the server, so if fix fields fails, we just return with an
+    error.
   */
-  e.fix_fields(thd, 0);
+  if (e.fix_fields(thd, 0))
+    return 1;
+
   /*
     A variable can just be considered as a table with
     a single record and with a single column. Thus, like