diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2018-04-16 23:14:28 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2018-05-10 12:48:30 +0200 |
| commit | 92a13148e80c30422ae5460032169cbe1946fa6d (patch) | |
| tree | ea80b092ccfebfb9dea57530088caa3c5cb63d2b /sql/sql_table.cc | |
| parent | 88a0bb83dfa1746571c99503f1cfd586f63e9a17 (diff) | |
| download | mariadb-git-92a13148e80c30422ae5460032169cbe1946fa6d.tar.gz | |
MDEV-15746 ASAN heap-use-after-free in Item_change_list::rollback_item_tree_changes on ALTER executed as PS
don't try to convert a default value string from a user character set
into a column character set, if this particular default value string did
not came from the user at all (that is, if it's an ALTER TABLE and the
default value string is the *old* default value of the unaltered
column).
This used to crash, because old defaults are allocated on the old
table's memroot, which is freed mid-ALTER when the old table is closed.
So thd->rollback_item_tree_changes() at the end of the ALTER was writing
into the freed memory.
Diffstat (limited to 'sql/sql_table.cc')
| -rw-r--r-- | sql/sql_table.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 9e7973b745c..1ed2194b09a 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -3378,6 +3378,8 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info, */ if (sql_field->default_value && sql_field->default_value->expr->basic_const_item() && + (!sql_field->field || + sql_field->field->default_value != sql_field->default_value) && save_cs != sql_field->default_value->expr->collation.collation && (sql_field->sql_type == MYSQL_TYPE_VAR_STRING || sql_field->sql_type == MYSQL_TYPE_STRING || |