From 925d4fb92107c0794060bd8856958c4d13d83e4f Mon Sep 17 00:00:00 2001 From: unknown Date: Mon, 29 Jan 2007 11:48:31 +0400 Subject: bug #25492 (Invalid deallocation in mysql_stmt_fetch) Operating with the prepared statements we don't alloc MYSQL_DATA structure, but use MYSQL_STMT's field instead (to increase performance by reducing malloc calls). So we shouldn't free this structure as we did before. libmysqld/lib_sql.cc: we only should free data->alloc here, as the 'data' is a member of STMT structure --- libmysqld/lib_sql.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc index fe4ac5ba676..3a8bc189e7f 100644 --- a/libmysqld/lib_sql.cc +++ b/libmysqld/lib_sql.cc @@ -269,7 +269,7 @@ int emb_unbuffered_fetch(MYSQL *mysql, char **row) *row= NULL; if (data) { - free_rows(data); + free_root(&data->alloc,MYF(0)); ((THD*)mysql->thd)->data= NULL; } } -- cgit v1.2.1 From fd76e1489394c44513ef646246f50c12fdf1b0a0 Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 13 Feb 2007 00:55:45 +0400 Subject: bug #25492 (Invalid deallocation in mysql_stmt_fetch) libmysqld/lib_sql.cc: code modified to prevent freeing of memory that wasn't malloc-ed. Now we check if MYSQL_STMT::result was used. --- libmysqld/lib_sql.cc | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc index 3a8bc189e7f..8992bea943b 100644 --- a/libmysqld/lib_sql.cc +++ b/libmysqld/lib_sql.cc @@ -66,6 +66,16 @@ void embedded_get_error(MYSQL *mysql) } } + +static void emb_free_rows(THD *thd) +{ + if (thd->current_stmt) + free_root(&thd->data->alloc,MYF(0)); + else + free_rows(thd->data); +} + + static my_bool emb_advanced_command(MYSQL *mysql, enum enum_server_command command, const char *header, ulong header_length, @@ -78,7 +88,7 @@ emb_advanced_command(MYSQL *mysql, enum enum_server_command command, if (thd->data) { - free_rows(thd->data); + emb_free_rows(thd); thd->data= 0; } /* Check that we are calling the client functions in right order */ @@ -248,13 +258,23 @@ static int emb_stmt_execute(MYSQL_STMT *stmt) int emb_read_binary_rows(MYSQL_STMT *stmt) { - MYSQL_DATA *data; - if (!(data= emb_read_rows(stmt->mysql, 0, 0))) + MYSQL *mysql= stmt->mysql; + embedded_get_error(mysql); + if (mysql->net.last_errno) { - set_stmt_errmsg(stmt, stmt->mysql->net.last_error, - stmt->mysql->net.last_errno, stmt->mysql->net.sqlstate); + set_stmt_errmsg(stmt, mysql->net.last_error, + mysql->net.last_errno, mysql->net.sqlstate); return 1; } + + if (((THD*)mysql->thd)->data) + { + DBUG_ASSERT(((THD*) mysql->thd)->data == &stmt->result); + stmt->result.prev_ptr= NULL; + ((THD*)mysql->thd)->data= NULL; + } + else + stmt->result.rows= 0; return 0; } @@ -285,7 +305,7 @@ static void emb_free_embedded_thd(MYSQL *mysql) { THD *thd= (THD*)mysql->thd; if (thd->data) - free_rows(thd->data); + emb_free_rows(thd); thread_count--; delete thd; mysql->thd=0; -- cgit v1.2.1