MDEV-24281 Reading from freed memory when running main.view with --ps…

…-protocol This bug could affect prepared statements for the command CREATE VIEW with specification that contained unnamed basic constant in select list. If generation of a valid name for the corresponding view column required resolution of conflicts with names of other columns that were explicitly defined then execution of such prepared statement and following deallocation of this statement led to reading from freed memory. Approved by Oleksandr Byelkin <sanja@mariadb.com>
MariaDB · Mar 23, 2022 · bbf02c8 · bbf02c8
1 parent cade21b
commit bbf02c8
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/mysql-test/main/view.result b/mysql-test/main/view.result
@@ -6839,5 +6839,33 @@ id	bar
 Drop View v1;
 Drop table t1;
 #
+# MDEV-24281: Execution of PREPARE from CREATE VIEW statement
+#
+create table t1 (s1 int);
+insert into t1 values (3), (7), (1);
+prepare stmt from "
+create view v1 as select 's1', s1, 1 as My_exp_s1 from t1;
+";
+execute stmt;
+deallocate prepare stmt;
+show create view v1;
+View	Create View	character_set_client	collation_connection
+v1	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select 's1' AS `My_exp_1_s1`,`t1`.`s1` AS `s1`,1 AS `My_exp_s1` from `t1`	latin1	latin1_swedish_ci
+select * from v1;
+My_exp_1_s1	s1	My_exp_s1
+s1	3	1
+s1	7	1
+s1	1	1
+drop view v1;
+prepare stmt from "
+create view v1 as select 's1', s1, 1 as My_exp_s1 from t1;
+";
+execute stmt;
+execute stmt;
+ERROR 42S01: Table 'v1' already exists
+deallocate prepare stmt;
+drop view v1;
+drop table t1;
+#
 # End of 10.3 tests
 #
diff --git a/mysql-test/main/view.test b/mysql-test/main/view.test
@@ -6576,6 +6576,32 @@ SELECT v.id, v.foo AS bar  FROM v1 v
 Drop View v1;
 Drop table t1;
 
+--echo #
+--echo # MDEV-24281: Execution of PREPARE from CREATE VIEW statement
+--echo #
+
+create table t1 (s1 int);
+insert into t1 values (3), (7), (1);
+
+prepare stmt from "
+create view v1 as select 's1', s1, 1 as My_exp_s1 from t1;
+";
+execute stmt;
+deallocate prepare stmt;
+show create view v1;
+select * from v1;
+drop view v1;
+
+prepare stmt from "
+create view v1 as select 's1', s1, 1 as My_exp_s1 from t1;
+";
+execute stmt;
+--error ER_TABLE_EXISTS_ERROR
+execute stmt;
+deallocate prepare stmt;
+drop view v1;
+drop table t1;
+
 --echo #
 --echo # End of 10.3 tests
 --echo #
diff --git a/sql/sql_view.cc b/sql/sql_view.cc
@@ -96,7 +96,8 @@ static void make_unique_view_field_name(THD *thd, Item *target,
     itc.rewind();
   }
 
-  target->orig_name= target->name.str;
+  if (!target->orig_name)
+    target->orig_name= target->name.str;
   target->set_name(thd, buff, name_len, system_charset_info);
 }