Bug #19633 | Stack corruption in fix_fields()/THD::rollback_item_tree_changes() | ||
---|---|---|---|
Submitted: | 9 May 2006 11:17 | Modified: | 9 May 2006 21:09 |
Reporter: | Kristian Nielsen | Email Updates: | |
Status: | Duplicate | Impact on me: | |
Category: | MySQL Server: Stored Routines | Severity: | S1 (Critical) |
Version: | 5.1.10, 5.0.22 | OS: | Linux (Linux/All) |
Assigned to: | Assigned Account | CPU Architecture: | Any |
[9 May 2006 11:17]
Kristian Nielsen
[9 May 2006 15:55]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/6156
[9 May 2006 16:06]
Kristian Nielsen
I committed a patch that seems to fix this. The patch changes a few places in the stored procedure code to pass along the Item ** instead of the Item *, so that the correct, non-auto location can be registered with THD::nocheck_register_item_tree_change(). There are still places where fix_fields() is called with the address of an auto variable, in events_timed.cc and, in sp_head::execute_procedure(), and in Select_fetch_into_spvars::send_data(). As far as I can see, these only concern Item subclasses that do not pass the address to THD::nocheck_register_item_tree_change() in the fix_fields() virtual method, and thus do not have this problem. Not 100% sure though. In any case, this is mighty fragile, and would benefit from refactoring.
[9 May 2006 19:26]
Kristian Nielsen
From source inspection, it would appear that the same problem is present in 5.0. The code looks substantially the same as the 5.1 code.
[9 May 2006 21:09]
Konstantin Osipov
This is a duplicate of Bug#18037 "Server crash when returning system variable in stored procedures"