In sql/vidx/vidx_index.cc, the hlindex_open function allocates memory for hlindex with my_malloc() at line 980, and increments s->hlindex->ref_count() at lines 988-990 before calling open_table_from_share().
However, when open_table_from_share() fails (error != 0), the function jumps to error_end at line 1001 without:
Decrementing the ref_count that was previously incremented
Freeing the allocated hlindex memory
Code location :
// Line 980: Allocate hlindex
hlindex = (TABLE *)my_malloc(key_memory_TABLE, sizeof(*hlindex), MYF(MY_WME));
// Lines 987-990: Increment ref_count
if (s->hlindex->tmp_table == NO_TMP_TABLE) {
mysql_mutex_lock(&LOCK_open);
s->hlindex->increment_ref_count();
mysql_mutex_unlock(&LOCK_open);
}
// Lines 993-997: Call open_table_from_share
int error = open_table_from_share(in_use, s->hlindex, hlindex_name,
(uint)(HA_OPEN_KEYFILE | HA_OPEN_RNDFILE |
HA_GET_INDEX | HA_TRY_READ_ONLY),
EXTRA_RECORD, in_use->open_options,
hlindex, false, hlindex_dd);
// Lines 999-1001: Problem: When error != 0, no cleanup before goto error_end
if (error != 0 || hlindex == nullptr) {
error_message = "Failed to open_table_from_share.";
goto error_end; // Memory leak here!
}
Note: open_table_from_share() does NOT free the passed outparam pointer on failure (verified in sql/table.cc). It only cleans internal resources.
Suggested fix:
if (error != 0 || hlindex == nullptr) {
error_message = "Failed to open_table_from_share.";
if (hlindex != nullptr) {
if (s->hlindex->tmp_table == NO_TMP_TABLE) {
mysql_mutex_lock(&LOCK_open);
s->hlindex->decrement_ref_count();
mysql_mutex_unlock(&LOCK_open);
}
my_free(hlindex);
hlindex = nullptr;
}
goto error_end;
}
In sql/vidx/vidx_index.cc, the hlindex_open function allocates memory for hlindex with my_malloc() at line 980, and increments s->hlindex->ref_count() at lines 988-990 before calling open_table_from_share().
However, when open_table_from_share() fails (error != 0), the function jumps to error_end at line 1001 without:
Decrementing the ref_count that was previously incremented
Freeing the allocated hlindex memory
Code location :
// Line 980: Allocate hlindex
hlindex = (TABLE *)my_malloc(key_memory_TABLE, sizeof(*hlindex), MYF(MY_WME));
// Lines 987-990: Increment ref_count
if (s->hlindex->tmp_table == NO_TMP_TABLE) {
mysql_mutex_lock(&LOCK_open);
s->hlindex->increment_ref_count();
mysql_mutex_unlock(&LOCK_open);
}
// Lines 993-997: Call open_table_from_share
int error = open_table_from_share(in_use, s->hlindex, hlindex_name,
(uint)(HA_OPEN_KEYFILE | HA_OPEN_RNDFILE |
HA_GET_INDEX | HA_TRY_READ_ONLY),
EXTRA_RECORD, in_use->open_options,
hlindex, false, hlindex_dd);
// Lines 999-1001: Problem: When error != 0, no cleanup before goto error_end
if (error != 0 || hlindex == nullptr) {
error_message = "Failed to open_table_from_share.";
goto error_end; // Memory leak here!
}
Note: open_table_from_share() does NOT free the passed outparam pointer on failure (verified in sql/table.cc). It only cleans internal resources.
Suggested fix:
if (error != 0 || hlindex == nullptr) {
error_message = "Failed to open_table_from_share.";
if (hlindex != nullptr) {
if (s->hlindex->tmp_table == NO_TMP_TABLE) {
mysql_mutex_lock(&LOCK_open);
s->hlindex->decrement_ref_count();
mysql_mutex_unlock(&LOCK_open);
}
my_free(hlindex);
hlindex = nullptr;
}
goto error_end;
}