MDEV-26158 SIGSEGV in spider_free_mem from ha_spider::open on INSERT

The server crashes due to passing NULL to spider_free(). In some cases, this == pt_handler_share_handlers[0] at the label error_get_share in ha_spider::open(). In such cases, to nullify pt_handler_share_handlers[0]->wide_handler is nothing but to nullify this->wide_handler. We should not do this before freeing this->wide_handler.
2025-01-16 12:02:42 +01:00 · 2021-09-21 20:22:56 +09:00 · 2021-09-21 20:22:56 +09:00 · e7208bd934
commit e7208bd934
parent edde9084c2
4 changed files with 62 additions and 1 deletions
--- a/storage/spider/ha_spider.cc
+++ b/storage/spider/ha_spider.cc
@ -659,13 +659,13 @@ error_partition_handler_share_alloc:
 error_get_share:
  if (wide_handler_alloc)
  {
+    spider_free(spider_current_trx, wide_handler, MYF(0));
 #ifdef WITH_PARTITION_STORAGE_ENGINE
    if (pt_handler_share_handlers)
    {
      pt_handler_share_handlers[0]->wide_handler = NULL;
    }
 #endif
-    spider_free(spider_current_trx, wide_handler, MYF(0));
    spider->wide_handler = NULL;
    owner->wide_handler = NULL;
    owner->wide_handler_owner = FALSE;
--- a/storage/spider/mysql-test/spider/bugfix/r/mdev_26158.result
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_26158.result
@ -0,0 +1,27 @@
+#
+# MDEV-26158 SIGSEGV in spider_free_mem from ha_spider::open on INSERT
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+connection master_1;
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE t (
+c INT
+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a"'
+PARTITION BY LIST COLUMNS(`c`) (
+PARTITION `pt1` DEFAULT COMMENT = 'srv "s_2_1"'
+);
+INSERT INTO t SELECT * FROM t;
+ERROR 42000: Unknown database 'auto_test_remote'
+DROP DATABASE auto_test_local;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.cnf
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.cnf
@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.test
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_26158.test
@ -0,0 +1,31 @@
+--echo #
+--echo # MDEV-26158 SIGSEGV in spider_free_mem from ha_spider::open on INSERT
+--echo #
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_init.inc
+--enable_result_log
+--enable_query_log
+
+--connection master_1
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+
+eval CREATE TABLE t (
+    c INT
+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a"'
+PARTITION BY LIST COLUMNS(`c`) (
+    PARTITION `pt1` DEFAULT COMMENT = 'srv "s_2_1"'
+);
+
+--error ER_BAD_DB_ERROR
+INSERT INTO t SELECT * FROM t;
+
+DROP DATABASE auto_test_local;
+
+--disable_query_log
+--disable_result_log
+--source ../../t/test_deinit.inc
+--enable_result_log
+--enable_query_log