Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.0.4
-
None
-
None
-
My platform is Debian GNU/Linux sid x86_64 but it causes all platform.
Description
If there is the following variable definition, it may cause double free:
static MYSQL_SYSVAR_STR(variable_name,
|
variable,
|
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC, // PLUGIN_VAR_MEMALLOC is important!
|
"description",
|
NULL,
|
NULL, // using the default update function is important!
|
NULL);
|
The points are PLUGIN_VAR_MEMALLOC and the default update function.
If this pattern is used, the following SQL causes double free:
SET GLOBAL variable = "value";
|
SET GLOBAL variable = NULL;
|
If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:
static void update_func_str(THD *thd, struct st_mysql_sys_var *var,
|
void *tgt, const void *save)
|
{
|
char *value= *(char**) save;
|
if (var->flags & PLUGIN_VAR_MEMALLOC)
|
{ // This clause is used!
|
char *old= *(char**) tgt;
|
if (value)
|
*(char**) tgt= my_strdup(value, MYF(0));
|
my_free(old);
|
}
|
else
|
*(char**) tgt= value;
|
}
|
if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cc:plugin_vars_free_values(). It causes double free.
This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
(I'm a mroonga storage engine developer.)
I will attach a patch to fix the problem.
Attachments
Issue Links
- is part of
-
MDEV-4907 merge 5.5 → 10.0-base → 10.0
-
- Closed
-