Bug #57187: more user variable fun with multiple

            assignments and comparison in query

A query that compares assignments of the same
user variable caused Valgrind warnings: access
to freed memory region.

In case of a DECIMAL argument the assignment
operator (:=) may return a pointer to a stored
value instead of its copy when evaluated.
The next assignment to the same variable may:
 a) overwrite the stored value with a new one
    and return the same pointer or even
 b) reallocate stored value.

Thus, if we evaluate an assignment and keep
the result pointer and then evaluate another
assignment to the same variable, then the
kept result pointer of the first assignment
will point to unexpectedly changed data or
it may be a dead pointer.

That may cause wrong data or crash.

The user_var_entry::val_decimal method has
been modified to copy user variable data.


mysql-test/r/user_var.result:
  Test case for bug #57187.
mysql-test/t/user_var.test:
  Test case for bug #57187.
sql/item_func.cc:
  Bug #57187: more user variable fun with multiple
              assignments and comparison in query
  
  The user_var_entry::val_decimal method has
  been modified to copy user variable data.

1 files changed, 1 insertions, 1 deletions

diff --git a/sql/item_func.cc b/sql/item_func.cc
index 8bb1009ac2c..5a8f65a795a 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -4064,7 +4064,7 @@ my_decimal *user_var_entry::val_decimal(my_bool *null_value, my_decimal *val)
     int2my_decimal(E_DEC_FATAL_ERROR, *(longlong*) value, 0, val);
     break;
   case DECIMAL_RESULT:
-    val= (my_decimal *)value;
+    my_decimal2decimal((my_decimal *) value, val);
     break;
   case STRING_RESULT:
     str2my_decimal(E_DEC_FATAL_ERROR, value, length, collation.collation, val);