[Commits] ddec45aa50e: MDEV-16932: ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK

Oleksandr Byelkin sanja at mariadb.com
Tue May 14 15:01:15 EEST 2019


revision-id: ddec45aa50e94c137d35dfb16b79feb8b119174b (mariadb-10.2.24-11-gddec45aa50e)
parent(s): 50999738eaed907cfd94b554582b5416e0107642
author: Oleksandr Byelkin
committer: Oleksandr Byelkin
timestamp: 2019-05-14 14:01:15 +0200
message:

MDEV-16932: ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK

In case of error the SP can be executed without re-comilation and so will reuse constructed constaint name, so the name should be allocated in the statement memory.

---
 mysql-test/r/constraints.result | 14 ++++++++++++++
 mysql-test/t/constraints.test   | 20 ++++++++++++++++++++
 sql/sql_table.cc                |  6 ++++++
 3 files changed, 40 insertions(+)

diff --git a/mysql-test/r/constraints.result b/mysql-test/r/constraints.result
index df93b69cb9e..47fe0c323be 100644
--- a/mysql-test/r/constraints.result
+++ b/mysql-test/r/constraints.result
@@ -130,3 +130,17 @@ t	CREATE TABLE `t` (
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1
 DROP table test.t;
 SET @@SQL_MODE=@OLD_SQL_MODE;
+#
+# MDEV-16932 - ASAN heap-use-after-free in my_charlen_utf8 /
+# my_well_formed_char_length_utf8 on 2nd execution of SP with
+# ALTER trying to add bad CHECK
+#
+CREATE TABLE t1 (a INT);
+CREATE PROCEDURE sp() ALTER TABLE t1 ADD CONSTRAINT CHECK (b > 0);
+CALL sp;
+ERROR 42S22: Unknown column 'b' in 'CHECK'
+CALL sp;
+ERROR 42S22: Unknown column 'b' in 'CHECK'
+DROP PROCEDURE sp;
+DROP TABLE t1;
+# End of 10.2 tests
diff --git a/mysql-test/t/constraints.test b/mysql-test/t/constraints.test
index 39b2eb52a9f..669ef08a227 100644
--- a/mysql-test/t/constraints.test
+++ b/mysql-test/t/constraints.test
@@ -119,3 +119,23 @@ CREATE TABLE test.t (f int foo=bar check(f>0));
 SHOW CREATE TABLE t;
 DROP table test.t;
 SET @@SQL_MODE=@OLD_SQL_MODE;
+
+--echo #
+--echo # MDEV-16932 - ASAN heap-use-after-free in my_charlen_utf8 /
+--echo # my_well_formed_char_length_utf8 on 2nd execution of SP with
+--echo # ALTER trying to add bad CHECK
+--echo #
+
+CREATE TABLE t1 (a INT);
+CREATE PROCEDURE sp() ALTER TABLE t1 ADD CONSTRAINT CHECK (b > 0);
+--error ER_BAD_FIELD_ERROR
+CALL sp;
+--error ER_BAD_FIELD_ERROR
+CALL sp;
+
+# Cleanup
+DROP PROCEDURE sp;
+DROP TABLE t1;
+
+
+--echo # End of 10.2 tests
diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index 3df877792cc..ecd5de3a09d 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -4185,9 +4185,15 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info,
     while ((check= c_it++))
     {
       if (!check->name.length)
+      {
+        Query_arena backup;
+        Query_arena *arena= thd->activate_stmt_arena_if_needed(&backup);
         make_unique_constraint_name(thd, &check->name,
                                     &alter_info->check_constraint_list,
                                     &nr);
+        if (arena)
+          thd->restore_active_arena(arena, &backup);
+      }
       {
         /* Check that there's no repeating constraint names. */
         List_iterator_fast<Virtual_column_info>


More information about the commits mailing list