mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2026-04-25 01:35:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

Fixed some possible usage of freed memory

Browse source 
- Create_tmp_table::finalize didn't clear file after delete which
  could cause a double free. This is however not a likely problem as
  this code path is very unlikely to happen
- free_tmp_table() could do handler calls even if the table was never
  opened. Fixed by adding a test if the table is opened.
This commit is contained in:
Monty 2020-12-14 15:27:07 +02:00
commit 9a60e89a90
1 changed files with 9 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

14
sql/sql_select.cc
View file

@ -18675,6 +18675,7 @@ bool Create_tmp_table::finalize(THD *thd,
if (table->file->set_ha_share_ref(&share->ha_share))
{
delete table->file;
table->file= 0;
goto err;
}
table->file->set_table(table);
@ -19913,11 +19914,14 @@ free_tmp_table(THD *thd, TABLE *entry)
if (entry->file && entry->is_created())
{
DBUG_ASSERT(entry->db_stat);
entry->file->ha_index_or_rnd_end();
entry->file->info(HA_STATUS_VARIABLE);
thd->tmp_tables_size+= (entry->file->stats.data_file_length +
entry->file->stats.index_file_length);
if (entry->db_stat)
{
/* The table was properly opened in open_tmp_table() */
entry->file->ha_index_or_rnd_end();
entry->file->info(HA_STATUS_VARIABLE);
thd->tmp_tables_size+= (entry->file->stats.data_file_length +
entry->file->stats.index_file_length);
}
entry->file->ha_drop_table(entry->s->path.str);
delete entry->file;
}