A fix and a test case for Bug#34166 Server crash in SHOW OPEN TABLES and

pre-locking.

The crash was caused by an implicit assumption in check_table_access() that
table_list parameter is always a part of lex->query_tables.

When iterating over the passed list of tables, check_table_access() used
to stop only when lex->query_tables_last_not_own was reached. 
In case of pre-locking, lex->query_tables_last_own is not NULL and points
to some element of lex->query_tables. When the parameter
of check_table_access() was not part of lex->query_tables, loop invariant
could never be violated and a crash would happen when the current table
pointer would point beyond the end of the provided list.

The fix is to change the signature of check_table_access() to also accept
a numeric limit of loop iterations, similarly to check_grant(), and 
supply this limit in all places when we want to check access of tables
that are outside lex->query_tables, or just want to check access to one table.


mysql-test/r/information_schema.result:
  Update test results (Bug#34166).
mysql-test/t/information_schema.test:
  Add a test case for Bug#34166.
sql/mysql_priv.h:
  Change signature of check_table_access() to accept a numeric limit
  of tables to check.
sql/sp_head.cc:
  Update to the new signature of check_table_access().
sql/sql_acl.cc:
  Improve code clarity: if there is a numeric limit, we should not need
  to look at first_not_own_table.
sql/sql_base.cc:
  Update to the new signature of check_table_access().
sql/sql_cache.cc:
  Update to the new signature of check_table_access().
sql/sql_parse.cc:
  Update to the new signature of check_table_access().
  Change check_table_access() to accept an optional numeric limit of tables
  to check. A crash would happen when check_table_access() was
  passed a list of tables that is not part of lex->query_tables and
  lex->query_tables_last_own was not NULL.
sql/sql_plugin.cc:
  Update to the new signature of check_table_access().
sql/sql_prepare.cc:
  Update to the new signature of check_table_access().
sql/sql_show.cc:
  Update to the new signature of check_table_access().
  Ensure that check_table_access() only checks access to the first
  table in the table list when called from list_open_tables().
  list_open_tables() supplies a table list that is created on stack,
  whereas check_table_access() used to assume that the supplied list is a part
  of thd->lex.
sql/sql_trigger.cc:
  Update to the new signature of check_table_access().
sql/sql_view.cc:
  Update to the new signature of check_table_access().

1 files changed, 3 insertions, 3 deletions

diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 52e6fcc5d58..b76ed0852f5 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -1272,7 +1272,7 @@ static int mysql_test_select(Prepared_statement *stmt,
   ulong privilege= lex->exchange ? SELECT_ACL | FILE_ACL : SELECT_ACL;
   if (tables)
   {
-    if (check_table_access(thd, privilege, tables,0))
+    if (check_table_access(thd, privilege, tables, UINT_MAX, FALSE))
       goto error;
   }
   else if (check_access(thd, privilege, any_db,0,0,0,0))
@@ -1342,7 +1342,7 @@ static bool mysql_test_do_fields(Prepared_statement *stmt,
   THD *thd= stmt->thd;
 
   DBUG_ENTER("mysql_test_do_fields");
-  if (tables && check_table_access(thd, SELECT_ACL, tables, 0))
+  if (tables && check_table_access(thd, SELECT_ACL, tables, UINT_MAX, FALSE))
     DBUG_RETURN(TRUE);
 
   if (open_normal_and_derived_tables(thd, tables, 0))
@@ -1374,7 +1374,7 @@ static bool mysql_test_set_fields(Prepared_statement *stmt,
   THD *thd= stmt->thd;
   set_var_base *var;
 
-  if (tables && check_table_access(thd, SELECT_ACL, tables, 0) ||
+  if (tables && check_table_access(thd, SELECT_ACL, tables, UINT_MAX, FALSE) ||
       open_normal_and_derived_tables(thd, tables, 0))
     goto error;