Bug#38823: Invalid memory access when a SP statement does wildcard expansion

The problem is that field names constructed due to wild-card expansion done inside a stored procedure could point to freed memory if the expansion was performed after the first call to the stored procedure. The problem was solved by patch for Bug#38691. The solution was to allocate the database, table and field names in the in the statement memory instead of table memory. mysql-test/r/sp.result: Add test case result for Bug#38823 mysql-test/t/sp.test: Add test case for Bug#38823 sql/item.cc: Remark that this also impacts wildcard expansion inside SPs.

Bug#38823: Invalid memory access when a SP statement does wildcard expansion
The problem is that field names constructed due to wild-card expansion done inside a stored procedure could point to freed memory if the expansion was performed after the first call to the stored procedure. The problem was solved by patch for Bug#38691. The solution was to allocate the database, table and field names in the in the statement memory instead of table memory. mysql-test/r/sp.result: Add test case result for Bug#38823 mysql-test/t/sp.test: Add test case for Bug#38823 sql/item.cc: Remark that this also impacts wildcard expansion inside SPs.
017307f2 · Davi Arnaut · 9b6347f0 · 017307f2 · 017307f2 · 017307f2
Commit 017307f2 authored Oct 14, 2008 by Davi Arnaut
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 1 deletion

mysql-test/r/sp.result mysql-test/r/sp.result +13 -0

mysql-test/t/sp.test mysql-test/t/sp.test +22 -0

sql/item.cc sql/item.cc +2 -1

No files found.
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@@ -6672,6 +6672,19 @@ select substr(`str`, `pos`+ 1 ) into `str`;
 end $
 call `p2`('s s s s s s');
 drop procedure `p2`;
+drop table if exists t1;
+drop procedure if exists p1;
+create procedure p1() begin select * from t1; end$
+call p1$
+ERROR 42S02: Table 'test.t1' doesn't exist
+create table t1 (a integer)$
+call p1$
+a
+alter table t1 add b integer;
+call p1$
+a
+drop table t1;
+drop procedure p1;
 # ------------------------------------------------------------------
 # -- End of 5.0 tests
 # ------------------------------------------------------------------
--- a/mysql-test/t/sp.test
+++ b/mysql-test/t/sp.test
@@ -7836,6 +7836,28 @@ delimiter ;$
 call `p2`('s s s s s s');
 drop procedure `p2`;

+#
+# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
+#
+
+--disable_warnings
+drop table if exists t1;
+drop procedure if exists p1;
+--enable_warnings
+
+delimiter $;
+create procedure p1() begin select * from t1; end$
+--error ER_NO_SUCH_TABLE
+call p1$
+create table t1 (a integer)$
+call p1$
+alter table t1 add b integer;
+call p1$
+delimiter ;$
+
+drop table t1;
+drop procedure p1;
+
 --echo # ------------------------------------------------------------------
 --echo # -- End of 5.0 tests
 --echo # ------------------------------------------------------------------
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -1759,7 +1759,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
    be allocated in the statement memory, not in table memory (the table
    structure can go away and pop up again between subsequent executions
    of a prepared statement or after the close_tables_for_reopen() call
-    in mysql_multi_update_prepare()).
+    in mysql_multi_update_prepare() or due to wildcard expansion in stored
+    procedures).
  */
  {
    if (db_name)