From 46156069389e8cf4a08872068e14452faae2de20 Mon Sep 17 00:00:00 2001
From: Denis Protivensky <denis.protivensky@mariadb.com>
Date: Fri, 13 Mar 2026 13:07:36 +0300
Subject: [PATCH] MDEV-30612: Fix usage of lex->definer in
 wsrep_create_trigger_query

Setting thd->lex->definer is excessive as it's only used within the
function call.
Moreover, it would lead to a use-after-free on the second execution
of a CREATE TRIGGER prepared statement.
---
 mysql-test/suite/galera/r/MDEV-30612.result | 11 +++++++++++
 mysql-test/suite/galera/t/MDEV-30612.test   | 17 +++++++++++++++++
 sql/wsrep_mysqld.cc                         | 10 +++++-----
 3 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 mysql-test/suite/galera/r/MDEV-30612.result
 create mode 100644 mysql-test/suite/galera/t/MDEV-30612.test

diff --git a/mysql-test/suite/galera/r/MDEV-30612.result b/mysql-test/suite/galera/r/MDEV-30612.result
new file mode 100644
index 0000000000000..5003d4e68c301
--- /dev/null
+++ b/mysql-test/suite/galera/r/MDEV-30612.result
@@ -0,0 +1,11 @@
+connection node_2;
+connection node_1;
+CREATE TABLE t(a INT) ENGINE=INNODB;
+PREPARE s FROM 'CREATE TRIGGER tr AFTER DELETE ON t FOR EACH ROW SET @a=1';
+EXECUTE s;
+EXECUTE s;
+ERROR HY000: Trigger 'test.tr' already exists
+DROP TRIGGER tr;
+DROP TABLE t;
+disconnect node_2;
+disconnect node_1;
diff --git a/mysql-test/suite/galera/t/MDEV-30612.test b/mysql-test/suite/galera/t/MDEV-30612.test
new file mode 100644
index 0000000000000..496d8166cd137
--- /dev/null
+++ b/mysql-test/suite/galera/t/MDEV-30612.test
@@ -0,0 +1,17 @@
+#
+# MDEV-30612: Executing CREATE TRIGGER prepared statement twice led to a crash.
+#
+
+--source include/galera_cluster.inc
+--source include/have_innodb.inc
+
+CREATE TABLE t(a INT) ENGINE=INNODB;
+PREPARE s FROM 'CREATE TRIGGER tr AFTER DELETE ON t FOR EACH ROW SET @a=1';
+EXECUTE s;
+--error ER_TRG_ALREADY_EXISTS
+EXECUTE s;
+
+DROP TRIGGER tr;
+DROP TABLE t;
+
+--source include/galera_end.inc
diff --git a/sql/wsrep_mysqld.cc b/sql/wsrep_mysqld.cc
index b9e05adddcb89..111245445e17a 100644
--- a/sql/wsrep_mysqld.cc
+++ b/sql/wsrep_mysqld.cc
@@ -3939,25 +3939,25 @@ bool wsrep_create_like_table(THD* thd, TABLE_LIST* table,
 
 int wsrep_create_trigger_query(THD *thd, uchar** buf, size_t* buf_len)
 {
-  LEX *lex= thd->lex;
   String stmt_query;
 
   LEX_CSTRING definer_user;
   LEX_CSTRING definer_host;
 
-  if (!lex->definer)
+  LEX_USER *definer= thd->lex->definer;
+  if (!definer)
   {
     if (!thd->slave_thread)
     {
-      if (!(lex->definer= create_default_definer(thd, false)))
+      if (!(definer= create_default_definer(thd, false)))
         return 1;
     }
   }
 
-  if (lex->definer)
+  if (definer)
   {
     /* SUID trigger. */
-    LEX_USER *d= get_current_user(thd, lex->definer);
+    LEX_USER *d= get_current_user(thd, definer);
 
     if (!d)
       return 1;