diff options
| author | Sergei Petrunia <psergey@askmonty.org> | 2020-01-12 20:50:12 +0200 |
|---|---|---|
| committer | Sergei Petrunia <psergey@askmonty.org> | 2020-01-12 20:50:12 +0200 |
| commit | 9271843e31adef1f8c50e1d9622d07dee3386758 (patch) | |
| tree | 50ca340f1d20d9bb4e7c7aa518928eeae0a55a8d /sql/sql_trigger.cc | |
| parent | 984b3c15449e0b5c7b3d66047a3c490c7be40faf (diff) | |
| download | mariadb-git-bb-10.1-mdev21341-issueSix.tar.gz | |
MDEV-21341: Fix UBSAN failures: Issue Sixbb-10.1-mdev21341-issueSix
(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 requires extra work due to sp_package, will commit a separate
patch for it)
sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.
Fixed by providing static sp_head::create() and sp_head::destroy() methods.
Diffstat (limited to 'sql/sql_trigger.cc')
| -rw-r--r-- | sql/sql_trigger.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sql/sql_trigger.cc b/sql/sql_trigger.cc index 4ecd8139921..c4d348ce400 100644 --- a/sql/sql_trigger.cc +++ b/sql/sql_trigger.cc @@ -1063,7 +1063,7 @@ Table_triggers_list::~Table_triggers_list() { for (int i= 0; i < (int)TRG_EVENT_MAX; i++) for (int j= 0; j < (int)TRG_ACTION_MAX; j++) - delete bodies[i][j]; + sp_head::destroy(bodies[i][j]); /* Free blobs used in insert */ if (record0_field) |