MDEV-21341: Fix UBSAN failures: Issue Sixbb-10.3-mdev21341-issueSix

(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 version of the fix, with handling for class sp_package)

sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.

Fixed by providing static sp_head::create() and sp_head::destroy() methods.

1 files changed, 5 insertions, 5 deletions

diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index f6df176c6a0..6e6c79c0e6c 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -793,7 +793,7 @@ void lex_end_stage1(LEX *lex)
   }
   else
   {
-    delete lex->sphead;
+    sp_head::destroy(lex->sphead);
     lex->sphead= NULL;
   }
 
@@ -3049,13 +3049,13 @@ void LEX::cleanup_lex_after_parse_error(THD *thd)
       DBUG_ASSERT(pkg == pkg->m_top_level_lex->sphead);
       pkg->restore_thd_mem_root(thd);
       LEX *top= pkg->m_top_level_lex;
-      delete pkg;
+      sp_package::destroy(pkg);
       thd->lex= top;
       thd->lex->sphead= NULL;
     }
     else
     {
-      delete thd->lex->sphead;
+      sp_head::destroy(thd->lex->sphead);
       thd->lex->sphead= NULL;
     }
   }
@@ -6190,7 +6190,7 @@ sp_head *LEX::make_sp_head(THD *thd, const sp_name *name,
   sp_head *sp;
 
   /* Order is important here: new - reset - init */
-  if (likely((sp= new sp_head(package, sph))))
+  if (likely((sp= sp_head::create(package, sph))))
   {
     sp->reset_thd_mem_root(thd);
     sp->init(this);
@@ -7829,7 +7829,7 @@ sp_package *LEX::create_package_start(THD *thd,
       return 0;
     }
   }
-  if (unlikely(!(pkg= new sp_package(this, name_arg, sph))))
+  if (unlikely(!(pkg= sp_package::create(this, name_arg, sph))))
     return NULL;
   pkg->reset_thd_mem_root(thd);
   pkg->init(this);