MDEV-21673 Calling stored procedure twice in the same session causes MariaDB to crash

This bug could happen only with a stored procedure containing queries with more than one reference to a CTE that used local variables / parameters. This bug was the result of an incomplete merge of the fix for the bug MDEV-17154. The merge covered usage of parameter markers occurred in a CTE that was referenced more than once, but missed coverage of local variables.
author: Igor Babaev <igor@askmonty.org> 2020-04-04 09:24:22 -0700
committer: Igor Babaev <igor@askmonty.org> 2020-04-04 09:24:22 -0700
commit: 21b87437340c403794f100d1af50dcd9c19e123c (patch)
tree: 75f2e6d23afc177b2fe222fffb243acc7deef221 /sql
parent: fbef428645e01113521824c2eb0a42fe4163699c (diff)
download: mariadb-git-21b87437340c403794f100d1af50dcd9c19e123c.tar.gz
1 files changed, 6 insertions, 4 deletions
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index 58c91ab21e7..00fca6c6bf9 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -7066,7 +7066,8 @@ Item *LEX::create_item_limit(THD *thd, const Lex_ident_cli_st *ca)
   if (unlikely(!(item= new (thd->mem_root)
                  Item_splocal(thd, rh, &sa,
                               spv->offset, spv->type_handler(),
-                              pos.pos(), pos.length()))))
+                              clone_spec_offset ? 0 : pos.pos(),
+                              clone_spec_offset ? 0 : pos.length()))))
     return NULL;
 #ifdef DBUG_ASSERT_EXISTS
   item->m_sp= sphead;
@@ -7165,14 +7166,15 @@ Item *LEX::create_item_ident_sp(THD *thd, Lex_ident_sys_st *name,
     }
 
     Query_fragment pos(thd, sphead, start, end);
+    uint f_pos= clone_spec_offset ? 0 : pos.pos();
+    uint f_length= clone_spec_offset ? 0 : pos.length();
     Item_splocal *splocal= spv->field_def.is_column_type_ref() ?
       new (thd->mem_root) Item_splocal_with_delayed_data_type(thd, rh, name,
                                                               spv->offset,
-                                                              pos.pos(),
-                                                              pos.length()) :
+                                                              f_pos, f_length) :
       new (thd->mem_root) Item_splocal(thd, rh, name,
                                        spv->offset, spv->type_handler(),
-                                       pos.pos(), pos.length());
+                                       f_pos, f_length);
     if (unlikely(splocal == NULL))
       return NULL;
 #ifdef DBUG_ASSERT_EXISTS
author	Igor Babaev <igor@askmonty.org>	2020-04-04 09:24:22 -0700
committer	Igor Babaev <igor@askmonty.org>	2020-04-04 09:24:22 -0700
commit	21b87437340c403794f100d1af50dcd9c19e123c (patch)
tree	75f2e6d23afc177b2fe222fffb243acc7deef221 /sql
parent	fbef428645e01113521824c2eb0a42fe4163699c (diff)
download	mariadb-git-21b87437340c403794f100d1af50dcd9c19e123c.tar.gz