2705 Davi Arnaut 2008-10-14
Bug#38823: Invalid memory access when a SP statement does wildcard expansion
The problem is that field names constructed due to wild-card
expansion done inside a stored procedure could point to freed
memory if the expansion was performed after the first call to
the stored procedure.
The problem was solved by patch for Bug#38691. The solution
was to allocate the database, table and field names in the
in the statement memory instead of table memory.
modified:
mysql-test/r/sp.result
mysql-test/t/sp.test
sql/item.cc
2704 Georgi Kodinov 2008-10-10 [merge]
merged 5.0-main -> 5.0-bugteam
modified:
mysql-test/r/lock_multi.result
mysql-test/t/lock_multi.test
sql/item.cc
sql/sql_base.cc
sql/sql_lex.cc
sql/sql_lex.h
sql/sql_union.cc
sql/sql_update.cc
sql/table.cc
sql/table.h
=== modified file 'mysql-test/r/sp.result'
--- a/mysql-test/r/sp.result 2008-09-20 08:51:03 +0000
+++ b/mysql-test/r/sp.result 2008-10-14 14:04:36 +0000
@@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `st
end $
call `p2`('s s s s s s');
drop procedure `p2`;
+drop table if exists t1;
+drop procedure if exists p1;
+create procedure p1() begin select * from t1; end$
+call p1$
+ERROR 42S02: Table 'test.t1' doesn't exist
+create table t1 (a integer)$
+call p1$
+a
+alter table t1 add b integer;
+call p1$
+a
+drop table t1;
+drop procedure p1;
# ------------------------------------------------------------------
# -- End of 5.0 tests
# ------------------------------------------------------------------
=== modified file 'mysql-test/t/sp.test'
--- a/mysql-test/t/sp.test 2008-09-20 08:51:03 +0000
+++ b/mysql-test/t/sp.test 2008-10-14 14:04:36 +0000
@@ -7836,6 +7836,28 @@ delimiter ;$
call `p2`('s s s s s s');
drop procedure `p2`;
+#
+# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
+#
+
+--disable_warnings
+drop table if exists t1;
+drop procedure if exists p1;
+--enable_warnings
+
+delimiter $;
+create procedure p1() begin select * from t1; end$
+--error ER_NO_SUCH_TABLE
+call p1$
+create table t1 (a integer)$
+call p1$
+alter table t1 add b integer;
+call p1$
+delimiter ;$
+
+drop table t1;
+drop procedure p1;
+
--echo # ------------------------------------------------------------------
--echo # -- End of 5.0 tests
--echo # ------------------------------------------------------------------
=== modified file 'sql/item.cc'
--- a/sql/item.cc 2008-10-07 21:34:00 +0000
+++ b/sql/item.cc 2008-10-14 14:04:36 +0000
@@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_re
be allocated in the statement memory, not in table memory (the table
structure can go away and pop up again between subsequent executions
of a prepared statement or after the close_tables_for_reopen() call
- in mysql_multi_update_prepare()).
+ in mysql_multi_update_prepare() or due to wildcard expansion in stored
+ procedures).
*/
{
if (db_name)
| Thread |
|---|
| • bzr push into mysql-5.0-bugteam branch (davi:2704 to 2705) Bug#38823 | Davi Arnaut | 14 Oct |
