Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6, 10.11, 11.4, 12.1(EOL), 11.8
-
None
Description
The following script:
delimiter |;
|
|
|
create aggregate function cnt() returns int
|
begin
|
declare z int default 0;
|
declare continue handler for not found return z;
|
loop
|
fetch group next row;
|
set z = z+1;
|
end loop;
|
end|
|
|
|
delimiter ;|
|
|
|
create table t1 (id int);
|
prepare test from "select cnt() from t1";
|
execute test;
|
execute test;
|
leads to double free with the following stacktrace:
==204305==ERROR: AddressSanitizer: heap-use-after-free on address 0x75f356665e60 at pc 0x5e502b7b7168 bp 0x73a34722dbe0 sp 0x73a34722dbd0
|
READ of size 8 at 0x75f356665e60 thread T5
|
#0 0x5e502b7b7167 in Query_arena::free_items() /src/mariadb/sql/sql_class.cc:4192
|
#1 0x5e502e2d80e1 in Item_sum_sp::clear() /src/mariadb/sql/item_sum.cc:1449
|
#2 0x5e502e380d71 in Aggregator_simple::clear() /src/mariadb/sql/item_sum.h:735
|
#3 0x5e502b24526a in Item_sum::aggregator_clear() /src/mariadb/sql/item_sum.h:563
|
#4 0x5e502d012e62 in Item_sum::no_rows_in_result() /src/mariadb/sql/item_sum.h:524
|
#5 0x5e502bfb2fd2 in return_zero_rows /src/mariadb/sql/sql_select.cc:17875
|
#6 0x5e502bed09fc in JOIN::exec_inner() /src/mariadb/sql/sql_select.cc:5014
|
#7 0x5e502becb1a8 in JOIN::exec() /src/mariadb/sql/sql_select.cc:4877
|
...
|
Reproduced on main(049ee29e7e).
Attachments
Issue Links
- relates to
-
-
- Closed
-