From 5e5ae51b730aa67f9efb87af4f4921309eac51f1 Mon Sep 17 00:00:00 2001 From: Sergei Petrunia Date: Sun, 12 Jan 2020 20:50:12 +0200 Subject: MDEV-21341: Fix UBSAN failures: Issue Six (Variant #2 of the patch, which keeps the sp_head object inside the MEM_ROOT that sp_head object owns) (10.3 requires extra work due to sp_package, will commit a separate patch for it) sp_head::operator new() and operator delete() were dereferencing sp_head* pointers to memory that didn't hold a valid sp_head object (it was not created/already destroyed). This caused UBSan to crash when looking up type information. Fixed by providing static sp_head::create() and sp_head::destroy() methods. --- sql/sp_head.h | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'sql/sp_head.h') diff --git a/sql/sp_head.h b/sql/sp_head.h index 2b3e568fb9a..47cb0985b05 100644 --- a/sql/sp_head.h +++ b/sql/sp_head.h @@ -142,7 +142,7 @@ public: bool check_routine_name(LEX_STRING *ident); -class sp_head :private Query_arena +class sp_head :private Query_arena, public Sql_alloc { sp_head(const sp_head &); /**< Prevent use of these */ void operator=(sp_head &); @@ -301,14 +301,16 @@ public: being opened is probably enough). */ SQL_I_List m_trg_table_fields; +private: + // users must use sp= sp_head::create() + sp_head(MEM_ROOT *mem_root_arg); - static void * - operator new(size_t size) throw (); - - static void - operator delete(void *ptr, size_t size) throw (); + // users must use sp_head::destroy(sp) + virtual ~sp_head(); - sp_head(); +public: + static sp_head* create(); + static void destroy(sp_head *sp); /// Initialize after we have reset mem_root void @@ -326,7 +328,6 @@ public: void set_stmt_end(THD *thd); - virtual ~sp_head(); bool execute_trigger(THD *thd, -- cgit v1.2.1