Commit 9fc39adf authored by Kristofer Pettersson's avatar Kristofer Pettersson
Browse files

Bug#38486 Crash when using cursor protocol 

            
Server side cursors were not initialized properly and this caused a reference to
uninitialized memory.
parent 7b244002

sql/sql_cursor.cc

+4 −1
Original line number Diff line number Diff line
@@ -111,7 +111,8 @@ class Select_materialize: public select_union 
  select_result *result; /* the result object of the caller (PS or SP) */

public:

  Materialized_cursor *materialized_cursor;

  Select_materialize(select_result *result_arg) :result(result_arg) {}

  Select_materialize(select_result *result_arg) :result(result_arg),

    materialized_cursor(0) {}

  virtual bool send_fields(List<Item> &list, uint flags);

};
@@ -155,6 +156,7 @@ int mysql_open_cursor(THD *thd, uint flags, select_result *result, 
  if (! (sensitive_cursor= new (thd->mem_root) Sensitive_cursor(thd, result)))

  {

    delete result_materialize;

    result_materialize= NULL;

    return 1;

  }
@@ -212,6 +214,7 @@ int mysql_open_cursor(THD *thd, uint flags, select_result *result, 
    if ((rc= materialized_cursor->open(0)))

    {

      delete materialized_cursor;

      materialized_cursor= NULL;

      goto err_open;

    }

tests/mysql_client_test.c

+30 −0
Original line number Diff line number Diff line
@@ -16189,6 +16189,35 @@ static void test_bug32265() 
  DBUG_VOID_RETURN;

}





/**

  Bug#38486 Crash when using cursor protocol

*/



static void test_bug38486(void)

{

    myheader("test_bug38486");

    

    MYSQL_STMT *stmt;

    stmt= mysql_stmt_init(mysql);

    unsigned long type= CURSOR_TYPE_READ_ONLY;

    mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (void*)&type);

    const char *sql= "CREATE TABLE t1 (a INT)";

    mysql_stmt_prepare(stmt,sql,strlen(sql));

    

    mysql_stmt_execute(stmt);

    mysql_stmt_close(stmt);

    

    stmt= mysql_stmt_init(mysql);

    mysql_stmt_attr_set(stmt, STMT_ATTR_CURSOR_TYPE, (void*)&type);

    const char *sql2= "INSERT INTO t1 VALUES (1)";

    mysql_stmt_prepare(stmt,sql2,strlen(sql2));

    mysql_stmt_execute(stmt);

    

    mysql_stmt_close(stmt);

}





/*

  Read and parse arguments and MySQL options from my.cnf

*/
@@ -16483,6 +16512,7 @@ static struct my_tests_st my_tests[]= { 
  { "test_bug29306", test_bug29306 },

  { "test_bug31669", test_bug31669 },

  { "test_bug32265", test_bug32265 },

  { "test_bug38486", test_bug38486 },

  { 0, 0 }

};