Commit 9bc9ddd5 authored by Sergey Glukhov's avatar Sergey Glukhov
Browse files

Bug#38291 memory corruption and server crash with view/sp/function 

Send_field.org_col_name has broken value on secondary execution.
It happens when result field is created from the field which belongs to view
due to forgotten assignment of some Send_field attributes. 
The fix:
set Send_field.org_col_name,org_table_name with correct value during Send_field intialization.
parent 53fe782e

mysql-test/r/metadata.result

+5 −5
Original line number Diff line number Diff line
@@ -108,11 +108,11 @@ id 
1

select * from v1 group by id limit 0;

Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr

def	test	t1	v1	id	id	3	10	0	Y	32768	0	63

def	test	v1	v1	id	id	3	10	0	Y	32768	0	63

id

select * from v1 where id=1000 group by id;

Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr

def	test	t1	v1	id	id	3	10	0	Y	32768	0	63

def	test	v1	v1	id	id	3	10	0	Y	32768	0	63

id

select * from v1 where id=1 group by id;

Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr
@@ -126,7 +126,7 @@ renamed 
1

select * from v3 where renamed=1 group by renamed;

Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr

def			v3		renamed	8	12	0	Y	32896	0	63

def		v3	v3	renamed	renamed	8	12	0	Y	32896	0	63

renamed

drop table t1;

drop view v1,v2,v3;
@@ -156,8 +156,8 @@ c1 
3

SELECT v1.c1, v2.c2 FROM v1 JOIN v2 ON c1=c2;

Catalog	Database	Table	Table_alias	Column	Column_alias	Type	Length	Max length	Is_null	Flags	Decimals	Charsetnr

def	test	t1	v1	c1	c1	254	1	1	Y	0	0	8

def	test	t2	v2	c2	c2	254	1	1	Y	0	0	8

def	test	v1	v1	c1	c1	254	1	1	Y	0	0	8

def	test	v2	v2	c2	c2	254	1	1	Y	0	0	8

c1	c2

1	1

2	2

mysql-test/r/sp.result

+16 −0
Original line number Diff line number Diff line
@@ -6646,6 +6646,22 @@ ttt 
2

drop function func30787;

drop table t1;

create table t1(c1 INT);

create function f1(p1 int) returns varchar(32)

return 'aaa';

create view v1 as select f1(c1) as parent_control_name from t1;

create procedure p1()

begin

select parent_control_name as c1 from v1;

end //

call p1();

c1

call p1();

c1

drop procedure p1;

drop function f1;

drop view v1;

drop table t1;

# ------------------------------------------------------------------

# -- End of 5.0 tests

# ------------------------------------------------------------------

mysql-test/t/sp.test

+24 −0
Original line number Diff line number Diff line
@@ -7794,6 +7794,30 @@ drop function func30787; 
drop table t1;





#

# Bug#38291 memory corruption and server crash with view/sp/function

#



create table t1(c1 INT);

create function f1(p1 int) returns varchar(32)

  return 'aaa';

create view v1 as select f1(c1) as parent_control_name from t1;



delimiter //;

create procedure p1()

begin

    select parent_control_name as c1 from v1;

end //

delimiter ;//



call p1();

call p1();



drop procedure p1;

drop function f1;

drop view v1;

drop table t1;



--echo # ------------------------------------------------------------------

--echo # -- End of 5.0 tests

--echo # ------------------------------------------------------------------

sql/item.cc

+4 −0
Original line number Diff line number Diff line
@@ -5764,6 +5764,10 @@ void Item_ref::make_field(Send_field *field) 
    field->table_name= table_name;

  if (db_name)

    field->db_name= db_name;

  if (orig_field_name)

    field->org_col_name= orig_field_name;

  if (orig_table_name)

    field->org_table_name= orig_table_name;

}

tests/mysql_client_test.c

+2 −2
Original line number Diff line number Diff line
@@ -16162,7 +16162,7 @@ static void test_bug32265() 
  metadata= mysql_stmt_result_metadata(stmt);

  field= mysql_fetch_field(metadata);

  DIE_UNLESS(strcmp(field->table, "v1") == 0);

  DIE_UNLESS(strcmp(field->org_table, "t1") == 0);

  DIE_UNLESS(strcmp(field->org_table, "v1") == 0);

  DIE_UNLESS(strcmp(field->db, "client_test_db") == 0);

  mysql_free_result(metadata);

  mysql_stmt_close(stmt);
@@ -16174,7 +16174,7 @@ static void test_bug32265() 
  metadata= mysql_stmt_result_metadata(stmt);

  field= mysql_fetch_field(metadata);

  DIE_UNLESS(strcmp(field->table, "v1") == 0);

  DIE_UNLESS(strcmp(field->org_table, "t1") == 0);

  DIE_UNLESS(strcmp(field->org_table, "v1") == 0);

  DIE_UNLESS(strcmp(field->db, "client_test_db") == 0);

  mysql_free_result(metadata);

  mysql_stmt_close(stmt);