MDEV-18083 ASAN heap-use-after-free in Field::set_warning_truncated_w…

…rong_value upon inserting into temporary table remove TABLE_SHARE::error_table_name() and TABLE_SHARE::orig_table_name (that was allocated in a wrong memroot in this bug). instead, simply set TABLE_SHARE::table_name correctly.
MariaDB · Feb 5, 2019 · ef4ccb6 · ef4ccb6
1 parent 3b7694b
commit ef4ccb6
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 34 deletions.
diff --git a/mysql-test/r/alter_table_errors.result b/mysql-test/r/alter_table_errors.result
@@ -27,3 +27,9 @@ t2	CREATE TEMPORARY TABLE `t2` (
   `a` int(11) DEFAULT NULL,
   `v` int(11) GENERATED ALWAYS AS (`a`) VIRTUAL
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1
+drop temporary table t1, t2;
+create temporary table t1 (a int);
+alter table t1 add column f text;
+insert into t1 values ('x','foo');
+ERROR 22007: Incorrect integer value: 'x' for column `test`.`t1`.`a` at row 1
+drop temporary table t1;
diff --git a/mysql-test/t/alter_table_errors.test b/mysql-test/t/alter_table_errors.test
@@ -19,3 +19,13 @@ lock table t2 write;
 --error ER_ALTER_OPERATION_NOT_SUPPORTED
 alter table t2 change column a b int, algorithm=inplace;
 show create table t2;
+drop temporary table t1, t2;
+
+#
+# MDEV-18083 ASAN heap-use-after-free in Field::set_warning_truncated_wrong_value upon inserting into temporary table
+#
+create temporary table t1 (a int);
+alter table t1 add column f text;
+--error ER_TRUNCATED_WRONG_VALUE_FOR_FIELD
+insert into t1 values ('x','foo');
+drop temporary table t1;
diff --git a/sql/field.cc b/sql/field.cc
@@ -8635,7 +8635,7 @@ int Field_geom::store(const char *from, uint length, CHARSET_INFO *cs)
         (uint32) geom_type != wkb_type)
     {
       const char *db= table->s->db.str;
-      const char *tab_name= table->s->error_table_name();
+      const char *tab_name= table->s->table_name.str;
 
       if (!db)
         db= "";
@@ -10821,7 +10821,7 @@ void Field::set_warning_truncated_wrong_value(const char *type_arg,
 {
   THD *thd= get_thd();
   const char *db_name= table->s->db.str;
-  const char *table_name= table->s->error_table_name();
+  const char *table_name= table->s->table_name.str;
 
   if (!db_name)
     db_name= "";

diff --git a/sql/sql_select.cc b/sql/sql_select.cc
@@ -16753,7 +16753,7 @@ create_tmp_table(THD *thd, TMP_TABLE_PARAM *param, List<Item> &fields,
   table->no_rows_with_nulls= param->force_not_null_cols;
 
   table->s= share;
-  init_tmp_table_share(thd, share, "", 0, tmpname, tmpname);
+  init_tmp_table_share(thd, share, "", 0, "(temporary)", tmpname);
   share->blob_field= blob_field;
   share->table_charset= param->table_charset;
   share->primary_key= MAX_KEY;               // Indicate no primary key
@@ -17539,7 +17539,7 @@ bool Virtual_tmp_table::open()
 bool open_tmp_table(TABLE *table)
 {
   int error;
-  if ((error= table->file->ha_open(table, table->s->table_name.str, O_RDWR,
+  if ((error= table->file->ha_open(table, table->s->path.str, O_RDWR,
                                    HA_OPEN_TMP_TABLE |
                                    HA_OPEN_INTERNAL_TABLE)))
   {
@@ -17735,13 +17735,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
       }
     }
 
-    if ((error= maria_create(share->table_name.str,
-                             file_type,
-                             share->keys, &keydef,
-                             (uint) (*recinfo-start_recinfo),
-                             start_recinfo,
-                             share->uniques, &uniquedef,
-                             &create_info,
+    if ((error= maria_create(share->path.str, file_type, share->keys, &keydef,
+                             (uint) (*recinfo-start_recinfo), start_recinfo,
+                             share->uniques, &uniquedef, &create_info,
                              create_flags)))
     {
       table->file->print_error(error,MYF(0));	/* purecov: inspected */
@@ -17891,11 +17887,9 @@ bool create_internal_tmp_table(TABLE *table, KEY *keyinfo,
   bzero((char*) &create_info,sizeof(create_info));
   create_info.data_file_length= table->in_use->variables.tmp_disk_table_size;
 
-  if ((error=mi_create(share->table_name.str, share->keys, &keydef,
-		       (uint) (*recinfo-start_recinfo),
-		       start_recinfo,
-		       share->uniques, &uniquedef,
-		       &create_info,
+  if ((error=mi_create(share->path.str, share->keys, &keydef,
+		       (uint) (*recinfo-start_recinfo), start_recinfo,
+		       share->uniques, &uniquedef, &create_info,
 		       HA_CREATE_TMP_TABLE | HA_CREATE_INTERNAL_TABLE |
                        ((share->db_create_options & HA_OPTION_PACK_RECORD) ?
                         HA_PACK_RECORD : 0)
@@ -18049,7 +18043,7 @@ create_internal_tmp_table_from_heap(THD *thd, TABLE *table,
   (void) table->file->ha_rnd_end();
   (void) new_table.file->ha_close();
  err1:
-  new_table.file->ha_delete_table(new_table.s->table_name.str);
+  new_table.file->ha_delete_table(new_table.s->path.str);
  err2:
   delete new_table.file;
   thd_proc_info(thd, save_proc_info);
@@ -18074,9 +18068,9 @@ free_tmp_table(THD *thd, TABLE *entry)
   {
     entry->file->ha_index_or_rnd_end();
     if (entry->db_stat)
-      entry->file->ha_drop_table(entry->s->table_name.str);
+      entry->file->ha_drop_table(entry->s->path.str);
     else
-      entry->file->ha_delete_table(entry->s->table_name.str);
+      entry->file->ha_delete_table(entry->s->path.str);
     delete entry->file;
   }
 

diff --git a/sql/sql_table.cc b/sql/sql_table.cc
@@ -9440,7 +9440,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
     goto err_new_table_cleanup;
 
   if (ha_create_table(thd, alter_ctx.get_tmp_path(),
-                      alter_ctx.new_db, alter_ctx.tmp_name,
+                      alter_ctx.new_db, alter_ctx.new_name,
                       create_info, &frm))
     goto err_new_table_cleanup;
 
@@ -9449,7 +9449,7 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
 
   new_table=
     thd->create_and_open_tmp_table(new_db_type, &frm, alter_ctx.get_tmp_path(),
-                                   alter_ctx.new_db, alter_ctx.tmp_name, true);
+                                   alter_ctx.new_db, alter_ctx.new_name, true);
   if (!new_table)
     goto err_new_table_cleanup;
 
@@ -9511,7 +9511,6 @@ bool mysql_alter_table(THD *thd,char *new_db, char *new_name,
         goto err_new_table_cleanup;
     }
   }
-  new_table->s->orig_table_name= table->s->table_name.str;
 
   /*
     Note: In case of MERGE table, we do not attach children. We do not

diff --git a/sql/sql_time.cc b/sql/sql_time.cc
@@ -880,7 +880,7 @@ void make_truncated_value_warning(THD *thd,
   if (field_name)
   {
     const char *db_name= s->db.str;
-    const char *table_name= s->error_table_name();
+    const char *table_name= s->table_name.str;
 
     if (!db_name)
       db_name= "";

diff --git a/sql/table.cc b/sql/table.cc
@@ -5182,7 +5182,7 @@ int TABLE::verify_constraints(bool ignore_failure)
         field_error.append((*chk)->name.str);
         my_error(ER_CONSTRAINT_FAILED,
                  MYF(ignore_failure ? ME_JUST_WARNING : 0), field_error.c_ptr(),
-                 s->db.str, s->error_table_name());
+                 s->db.str, s->table_name.str);
         return ignore_failure ? VIEW_CHECK_SKIP : VIEW_CHECK_ERROR;
       }
     }

diff --git a/sql/table.h b/sql/table.h
@@ -625,16 +625,6 @@ struct TABLE_SHARE
   LEX_STRING normalized_path;		/* unpack_filename(path) */
   LEX_STRING connect_string;
 
-  const char* orig_table_name;          /* Original table name for this tmp table */
-  const char* error_table_name() const  /* Get table name for error messages */
-  {
-    return tmp_table ? (
-      orig_table_name ?
-        orig_table_name :
-        "(temporary)") :
-      table_name.str;
-  }
-
   /* 
      Set of keys in use, implemented as a Bitmap.
      Excludes keys disabled by ALTER TABLE ... DISABLE KEYS.