From 9271843e31adef1f8c50e1d9622d07dee3386758 Mon Sep 17 00:00:00 2001
From: Sergei Petrunia <psergey@askmonty.org>
Date: Sun, 12 Jan 2020 20:50:12 +0200
Subject: MDEV-21341: Fix UBSAN failures: Issue Six

(Variant #2 of the patch, which keeps the sp_head object inside the
MEM_ROOT that sp_head object owns)
(10.3 requires extra work due to sp_package, will commit a separate
patch for it)

sp_head::operator new() and operator delete() were dereferencing sp_head*
pointers to memory that didn't hold a valid sp_head object (it was
not created/already destroyed).
This caused UBSan to crash when looking up type information.

Fixed by providing static sp_head::create() and sp_head::destroy() methods.
---
 sql/sql_trigger.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sql/sql_trigger.cc')

diff --git a/sql/sql_trigger.cc b/sql/sql_trigger.cc
index 4ecd8139921..c4d348ce400 100644
--- a/sql/sql_trigger.cc
+++ b/sql/sql_trigger.cc
@@ -1063,7 +1063,7 @@ Table_triggers_list::~Table_triggers_list()
 {
   for (int i= 0; i < (int)TRG_EVENT_MAX; i++)
     for (int j= 0; j < (int)TRG_ACTION_MAX; j++)
-      delete bodies[i][j];
+      sp_head::destroy(bodies[i][j]);
 
   /* Free blobs used in insert */
   if (record0_field)
-- 
cgit v1.2.1