From e52a4ab693002ccfe9eb65e409f8b3457de450b9 Mon Sep 17 00:00:00 2001
From: Robert Bindar <robert@mariadb.org>
Date: Mon, 1 Apr 2019 11:54:29 +0300
Subject: MDEV-15907 ASAN heap-use-after-free

This patch fixes an invalid read in fill_effective_table_privileges
triggered by a grant_version increase between a PREPARE for a
statement creating a view from I_S and EXECUTE.
A tmp table was created and free'd while preparing the statement,
TABLE_LIST::table_name was set to point to the tmp table
TABLE_SHARE::table_name which no longer existed after preparing was
done.
The grant version increase made fill_effective_table_privileges
called during EXECUTE to try fetch the updated grant info and
this is where the dangling table name was used.
---
 mysql-test/r/mdev15907.result | 4 ++++
 mysql-test/t/mdev15907.test   | 4 ++++
 sql/sql_show.cc               | 2 --
 sql/table.cc                  | 3 ++-
 4 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 mysql-test/r/mdev15907.result
 create mode 100644 mysql-test/t/mdev15907.test

diff --git a/mysql-test/r/mdev15907.result b/mysql-test/r/mdev15907.result
new file mode 100644
index 00000000000..3b5ee16b14b
--- /dev/null
+++ b/mysql-test/r/mdev15907.result
@@ -0,0 +1,4 @@
+PREPARE stmt2 FROM "CREATE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
+FLUSH PRIVILEGES;
+EXECUTE stmt2;
+DROP VIEW v;
diff --git a/mysql-test/t/mdev15907.test b/mysql-test/t/mdev15907.test
new file mode 100644
index 00000000000..3b5ee16b14b
--- /dev/null
+++ b/mysql-test/t/mdev15907.test
@@ -0,0 +1,4 @@
+PREPARE stmt2 FROM "CREATE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
+FLUSH PRIVILEGES;
+EXECUTE stmt2;
+DROP VIEW v;
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index db33a9de781..a69f7a8b970 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -7620,8 +7620,6 @@ int mysql_schema_table(THD *thd, LEX *lex, TABLE_LIST *table_list)
     table->alias_name_used= my_strcasecmp(table_alias_charset,
                                           table_list->schema_table_name,
                                           table_list->alias);
-  table_list->table_name= table->s->table_name.str;
-  table_list->table_name_length= table->s->table_name.length;
   table_list->table= table;
   table->next= thd->derived_tables;
   thd->derived_tables= table;
diff --git a/sql/table.cc b/sql/table.cc
index f6152a36eef..c8253649a1f 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -5373,7 +5373,8 @@ const char *Field_iterator_table_ref::get_table_name()
     return natural_join_it.column_ref()->table_name();
 
   DBUG_ASSERT(!strcmp(table_ref->table_name,
-                      table_ref->table->s->table_name.str));
+                      table_ref->table->s->table_name.str) ||
+              table_ref->schema_table);
   return table_ref->table_name;
 }
 
-- 
cgit v1.2.1