MDEV-23222 SIGSEG in maria_create() because of double free

The crash happens because a double free in the case CREATE TABLE fails because there is a conflicting tables on disk. Fixed by ensuring that the double free can't happen.
MariaDB · Oct 29, 2020 · 14d43f4 · 14d43f4
1 parent 4c99e3e
commit 14d43f4
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 0 deletions.
diff --git a/mysql-test/suite/maria/create.result b/mysql-test/suite/maria/create.result
@@ -62,5 +62,16 @@ c1
 DROP TABLE t2,t3;
 SET @@SQL_MODE=@org_sql_mode;
 #
+# MDEV-23222 SIGSEGV in maria_status | Assertion `(longlong)
+# thd->status_var.local_memory_used >= 0
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1);
+CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = 'MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;;
+flush tables;
+CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = 'MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;;
+Got one of the listed errors
+DROP TABLE t1;
+#
 # End of 10.3 tests
 #
diff --git a/mysql-test/suite/maria/create.test b/mysql-test/suite/maria/create.test
@@ -70,6 +70,28 @@ SELECT c1 FROM t3 WHERE (c1) IN (SELECT MIN(DISTINCT c1) FROM t2);
 DROP TABLE t2,t3;
 SET @@SQL_MODE=@org_sql_mode;
 
+--echo #
+--echo # MDEV-23222 SIGSEGV in maria_status | Assertion `(longlong)
+--echo # thd->status_var.local_memory_used >= 0
+--echo #
+
+let $mysqld_datadir= `select @@datadir`;
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1);
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--eval CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = '$MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;
+flush tables;
+--remove_file $mysqld_datadir/test/MDEV_23222.frm
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--error 1,ER_TABLE_EXISTS_ERROR
+--eval CREATE TABLE MDEV_23222 (i INT) DATA DIRECTORY = '$MYSQL_TMP_DIR', ENGINE=Aria TRANSACTIONAL=1;
+DROP TABLE t1;
+--disable_warnings
+--remove_file $mysqld_datadir/test/MDEV_23222.MAD
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR
+--remove_file $MYSQL_TMP_DIR/MDEV_23222.MAD
+--enable_warnings
+
 --echo #
 --echo # End of 10.3 tests
 --echo #
diff --git a/storage/maria/ma_create.c b/storage/maria/ma_create.c
@@ -1163,6 +1163,7 @@ int maria_create(const char *name, enum data_file_type datafile_type,
                                   FALSE, TRUE))
       goto err;
     my_free(log_data);
+    log_data= 0;
   }
 
   if (!(flags & HA_DONT_TOUCH_DATA))