Fixed some possible usage of freed memory

- Create_tmp_table::finalize didn't clear file after delete which could cause a double free. This is however not a likely problem as this code path is very unlikely to happen - free_tmp_table() could do handler calls even if the table was never opened. Fixed by adding a test if the table is opened.
MariaDB · Jan 15, 2021 · 9a60e89 · 9a60e89
1 parent 76b58c2
commit 9a60e89
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
@@ -18675,6 +18675,7 @@ bool Create_tmp_table::finalize(THD *thd,
   if (table->file->set_ha_share_ref(&share->ha_share))
   {
     delete table->file;
+    table->file= 0;
     goto err;
   }
   table->file->set_table(table);
@@ -19913,11 +19914,14 @@ free_tmp_table(THD *thd, TABLE *entry)
 
   if (entry->file && entry->is_created())
   {
-    DBUG_ASSERT(entry->db_stat);
-    entry->file->ha_index_or_rnd_end();
-    entry->file->info(HA_STATUS_VARIABLE);
-    thd->tmp_tables_size+= (entry->file->stats.data_file_length +
-                            entry->file->stats.index_file_length);
+    if (entry->db_stat)
+    {
+      /* The table was properly opened in open_tmp_table() */
+      entry->file->ha_index_or_rnd_end();
+      entry->file->info(HA_STATUS_VARIABLE);
+      thd->tmp_tables_size+= (entry->file->stats.data_file_length +
+                              entry->file->stats.index_file_length);
+    }
     entry->file->ha_drop_table(entry->s->path.str);
     delete entry->file;
   }