Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 10.0.4
-
Fix Version/s: 10.0.5
-
Component/s: None
-
Labels:None
-
Environment:My platform is Debian GNU/Linux sid x86_64 but it causes all platform.
Description
If there is the following variable definition, it may cause double free:
static MYSQL_SYSVAR_STR(variable_name,
variable,
PLUGIN_VAR_RQCMDARG | PLUGIN_VAR_MEMALLOC, // PLUGIN_VAR_MEMALLOC is important!
"description",
NULL,
NULL, // using the default update function is important!
NULL);
The points are PLUGIN_VAR_MEMALLOC and the default update function.
If this pattern is used, the following SQL causes double free:
SET GLOBAL variable = "value"; SET GLOBAL variable = NULL;
If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:
static void update_func_str(THD *thd, struct st_mysql_sys_var *var,
void *tgt, const void *save)
{
char *value= *(char**) save;
if (var->flags & PLUGIN_VAR_MEMALLOC)
{ // This clause is used!
char *old= *(char**) tgt;
if (value)
*(char**) tgt= my_strdup(value, MYF(0));
my_free(old);
}
else
*(char**) tgt= value;
}
if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cc:plugin_vars_free_values(). It causes double free.
This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
(I'm a mroonga storage engine developer.)
I will attach a patch to fix the problem.
Gliffy Diagrams
Attachments
Issue Links
- is part of
-
MDEV-4907 merge 5.5 → 10.0-base → 10.0
-
- Closed
-
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Thanks for confirming it! I'll wait for the next release!
(Thanks for fixing markup of the description. 
Yes, thanks!
We've just did the same fix in 5.5, and soon I'll merge it into 10.0. This should be fixed in the 5.5.33 and in 10.0.5.