bug in JOIN_TAB::cleanup() that caused freed memory to be accessed

montywi · vuvova · commit 8ed5fde3e1d2 · 2015-10-05T17:14:14.000+02:00
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
@@ -11472,14 +11472,16 @@ void JOIN_TAB::cleanup()
       }
       else
       {
+        TABLE_LIST *tmp= table->pos_in_table_list;
         end_read_record(&read_record);
-        table->pos_in_table_list->jtbm_subselect->cleanup();
+        tmp->jtbm_subselect->cleanup();
         /* 
           The above call freed the materializedd temptable. Set it to NULL so
           that we don't attempt to touch it if JOIN_TAB::cleanup() is invoked
           multiple times (it may be)
         */
-        table=NULL;
+        tmp->table= NULL;
+        table= NULL;
       }
       DBUG_VOID_RETURN;
     }

Original file line number	Diff line number	Diff line change
`@@ -11472,14 +11472,16 @@ void JOIN_TAB::cleanup()`
`11472`	`11472`	`}`
`11473`	`11473`	`else`
`11474`	`11474`	`{`
	`11475`	`+ TABLE_LIST *tmp= table->pos_in_table_list;`
`11475`	`11476`	`end_read_record(&read_record);`
`11476`		`- table->pos_in_table_list->jtbm_subselect->cleanup();`
	`11477`	`+ tmp->jtbm_subselect->cleanup();`
`11477`	`11478`	`/*`
`11478`	`11479`	`The above call freed the materializedd temptable. Set it to NULL so`
`11479`	`11480`	`that we don't attempt to touch it if JOIN_TAB::cleanup() is invoked`
`11480`	`11481`	`multiple times (it may be)`
`11481`	`11482`	`*/`
`11482`		`- table=NULL;`
	`11483`	`+ tmp->table= NULL;`
	`11484`	`+ table= NULL;`
`11483`	`11485`	`}`
`11484`	`11486`	`DBUG_VOID_RETURN;`
`11485`	`11487`	`}`