sql/sql_plugin.cc:update_func_str() for PLUGIN_VAR_MEMALLOC may cause double free

Description

If there is the following variable definition, it may cause double free:

The points are PLUGIN_VAR_MEMALLOC and the default update function.

If this pattern is used, the following SQL causes double free:

If a variable uses PLUGIN_VAR_MEMALLOC and the default update function, the following code is used in sql/sql_plugin.cc:

if value is NULL, tgt still referes freed memory. It is freed in sql/sql_plugin.cclugin_vars_free_values(). It causes double free.

This pattern isn't used all of bundled storage engines. It is used in mroonga storage engine: https://github.com/mroonga/mroonga/blob/3156280442792c1446175044ba666428690b9c55/ha_mroonga.cpp#L699
(I'm a mroonga storage engine developer.)

I will attach a patch to fix the problem.

Environment

My platform is Debian GNU/Linux sid x86_64 but it causes all platform.

Assignee

Sergei Golubchik

Reporter

Kouhei Sutou

Labels

None

Fix versions

Affects versions

Priority

Major
Configure