Bug#39040 valgrind errors/crash when creating views with binlog logging enabled

A string buffers which were included in the 'view' data structure were allocated on the stack, causing an invalid pointer when used after the function returned. The fix: use copy of values for view->md5 & view->queries

Bug#39040 valgrind errors/crash when creating views with binlog logging enabled
A string buffers which were included in the 'view' data structure were allocated on the stack, causing an invalid pointer when used after the function returned. The fix: use copy of values for view->md5 & view->queries
f3a4a186 · Sergey Glukhov · c0db5ae4 · f3a4a186 · f3a4a186 · f3a4a186
Commit f3a4a186 authored Oct 27, 2008 by Sergey Glukhov
Show whitespace changes
Inline Side-by-side

Showing with 24 additions and 3 deletions

mysql-test/r/view.result mysql-test/r/view.result +2 -0

mysql-test/t/view.test mysql-test/t/view.test +9 -0

sql/sql_view.cc sql/sql_view.cc +13 -3

No files found.
--- a/mysql-test/r/view.result
+++ b/mysql-test/r/view.result
@@ -3677,6 +3677,8 @@ DROP VIEW v1;

 # -- End of test case for Bug#35193.

+CREATE VIEW v1 AS SELECT 1;
+DROP VIEW v1;
 # -----------------------------------------------------------------
 # -- End of 5.0 tests.
 # -----------------------------------------------------------------
--- a/mysql-test/t/view.test
+++ b/mysql-test/t/view.test
@@ -3560,6 +3560,15 @@ DROP VIEW v1;

 ###########################################################################

+#
+# Bug#39040: valgrind errors/crash when creating views with binlog logging 
+# enabled
+#
+# Bug is visible only when running in valgrind with binary logging.
+CREATE VIEW v1 AS SELECT 1;
+DROP VIEW v1;
+
+
 --echo # -----------------------------------------------------------------
 --echo # -- End of 5.0 tests.
 --echo # -----------------------------------------------------------------
--- a/sql/sql_view.cc
+++ b/sql/sql_view.cc
@@ -774,8 +774,13 @@ static int mysql_register_view(THD *thd, TABLE_LIST *view,
  DBUG_PRINT("info", ("View: %s", str.ptr()));

  /* fill structure */
-  view->query.str= str.c_ptr_safe();
-  view->query.length= str.length();
+  if (!make_lex_string(thd, &view->query, str.ptr(), str.length(), false))
+  {
+    my_error(ER_OUT_OF_RESOURCES, MYF(0));
+    error= -1;
+    goto err;   
+  }
+
  view->source.str= thd->query + thd->lex->create_view_select_start;
  view->source.length= (char *)skip_rear_comments(thd->charset(),
                                                  (char *)view->source.str,
@@ -784,7 +789,12 @@ static int mysql_register_view(THD *thd, TABLE_LIST *view,
                        view->source.str;
  view->file_version= 1;
  view->calc_md5(md5);
-  view->md5.str= md5;
+  if (!(view->md5.str= thd->memdup(md5, 32)))
+  {
+    my_error(ER_OUT_OF_RESOURCES, MYF(0));
+    error= -1;
+    goto err;   
+  }
  view->md5.length= 32;
  can_be_merged= lex->can_be_merged();
  if (lex->create_view_algorithm == VIEW_ALGORITHM_MERGE &&