Skip to content

Commit 92a1314

Browse files
vuvovavuvova
committed
MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS
don't try to convert a default value string from a user character set into a column character set, if this particular default value string did not came from the user at all (that is, if it's an ALTER TABLE and the default value string is the *old* default value of the unaltered column). This used to crash, because old defaults are allocated on the old table's memroot, which is freed mid-ALTER when the old table is closed. So thd->rollback_item_tree_changes() at the end of the ALTER was writing into the freed memory.
1 parent 88a0bb8 commit 92a1314

File tree

3 files changed

+28
-0
lines changed

3 files changed

+28
-0
lines changed

mysql-test/r/ps.result

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5163,3 +5163,14 @@ END;
51635163
$$
51645164
CALL p1('x');
51655165
DROP PROCEDURE p1;
5166+
create table t1 (b blob default '');
5167+
prepare stmt from "alter table t1 force";
5168+
execute stmt;
5169+
execute stmt;
5170+
execute stmt;
5171+
set names latin1;
5172+
prepare stmt from "alter table t1 modify b text character set utf8 default 'a'";
5173+
execute stmt;
5174+
execute stmt;
5175+
execute stmt;
5176+
drop table t1;

mysql-test/t/ps.test

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4635,3 +4635,18 @@ DELIMITER ;$$
46354635
--disable_result_log
46364636
CALL p1('x');
46374637
DROP PROCEDURE p1;
4638+
4639+
#
4640+
# MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS
4641+
#
4642+
create table t1 (b blob default '');
4643+
prepare stmt from "alter table t1 force";
4644+
execute stmt;
4645+
execute stmt;
4646+
execute stmt;
4647+
set names latin1;
4648+
prepare stmt from "alter table t1 modify b text character set utf8 default 'a'";
4649+
execute stmt;
4650+
execute stmt;
4651+
execute stmt;
4652+
drop table t1;

sql/sql_table.cc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3378,6 +3378,8 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info,
33783378
*/
33793379
if (sql_field->default_value &&
33803380
sql_field->default_value->expr->basic_const_item() &&
3381+
(!sql_field->field ||
3382+
sql_field->field->default_value != sql_field->default_value) &&
33813383
save_cs != sql_field->default_value->expr->collation.collation &&
33823384
(sql_field->sql_type == MYSQL_TYPE_VAR_STRING ||
33833385
sql_field->sql_type == MYSQL_TYPE_STRING ||

0 commit comments

Comments
 (0)