revision-id: ddec45aa50e94c137d35dfb16b79feb8b119174b (mariadb-10.2.24-11-gddec45aa50e) parent(s): 50999738eaed907cfd94b554582b5416e0107642 author: Oleksandr Byelkin committer: Oleksandr Byelkin timestamp: 2019-05-14 14:01:15 +0200 message: MDEV-16932: ASAN heap-use-after-free in my_charlen_utf8 / my_well_formed_char_length_utf8 on 2nd execution of SP with ALTER trying to add bad CHECK In case of error the SP can be executed without re-comilation and so will reuse constructed constaint name, so the name should be allocated in the statement memory. --- mysql-test/r/constraints.result | 14 ++++++++++++++ mysql-test/t/constraints.test | 20 ++++++++++++++++++++ sql/sql_table.cc | 6 ++++++ 3 files changed, 40 insertions(+) diff --git a/mysql-test/r/constraints.result b/mysql-test/r/constraints.result index df93b69cb9e..47fe0c323be 100644 --- a/mysql-test/r/constraints.result +++ b/mysql-test/r/constraints.result @@ -130,3 +130,17 @@ t CREATE TABLE `t` ( ) ENGINE=MyISAM DEFAULT CHARSET=latin1 DROP table test.t; SET @@SQL_MODE=@OLD_SQL_MODE; +# +# MDEV-16932 - ASAN heap-use-after-free in my_charlen_utf8 / +# my_well_formed_char_length_utf8 on 2nd execution of SP with +# ALTER trying to add bad CHECK +# +CREATE TABLE t1 (a INT); +CREATE PROCEDURE sp() ALTER TABLE t1 ADD CONSTRAINT CHECK (b > 0); +CALL sp; +ERROR 42S22: Unknown column 'b' in 'CHECK' +CALL sp; +ERROR 42S22: Unknown column 'b' in 'CHECK' +DROP PROCEDURE sp; +DROP TABLE t1; +# End of 10.2 tests diff --git a/mysql-test/t/constraints.test b/mysql-test/t/constraints.test index 39b2eb52a9f..669ef08a227 100644 --- a/mysql-test/t/constraints.test +++ b/mysql-test/t/constraints.test @@ -119,3 +119,23 @@ CREATE TABLE test.t (f int foo=bar check(f>0)); SHOW CREATE TABLE t; DROP table test.t; SET @@SQL_MODE=@OLD_SQL_MODE; + +--echo # +--echo # MDEV-16932 - ASAN heap-use-after-free in my_charlen_utf8 / +--echo # my_well_formed_char_length_utf8 on 2nd execution of SP with +--echo # ALTER trying to add bad CHECK +--echo # + +CREATE TABLE t1 (a INT); +CREATE PROCEDURE sp() ALTER TABLE t1 ADD CONSTRAINT CHECK (b > 0); +--error ER_BAD_FIELD_ERROR +CALL sp; +--error ER_BAD_FIELD_ERROR +CALL sp; + +# Cleanup +DROP PROCEDURE sp; +DROP TABLE t1; + + +--echo # End of 10.2 tests diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 3df877792cc..ecd5de3a09d 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -4185,9 +4185,15 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info, while ((check= c_it++)) { if (!check->name.length) + { + Query_arena backup; + Query_arena *arena= thd->activate_stmt_arena_if_needed(&backup); make_unique_constraint_name(thd, &check->name, &alter_info->check_constraint_list, &nr); + if (arena) + thd->restore_active_arena(arena, &backup); + } { /* Check that there's no repeating constraint names. */ List_iterator_fast<Virtual_column_info>