MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data

The issue here is window function makes the passed string object
to point to an area in a temporary table's record buffer.
Then, the temporary table is freed, together with its record buffer.
Then, Item_cache_str attempts to read this value.

The fix is to call value_buff.copy(). This will make the value_buff to store
its string in a buffer that it owns, which will not disappear unexpectedly.

3 files changed, 21 insertions, 0 deletions

diff --git a/mysql-test/r/win.result b/mysql-test/r/win.result
index 13d452f3ef2..805fd2ed3d7 100644
--- a/mysql-test/r/win.result
+++ b/mysql-test/r/win.result
@@ -3634,5 +3634,14 @@ rank() over (partition by 'abc' order by 'xyz')
 1
 drop table t1;
 #
+# MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+#
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+x
+foo
+drop table t1;
+#
 # End of 10.2 tests
 #
diff --git a/mysql-test/t/win.test b/mysql-test/t/win.test
index a4d42ce2b91..0f79834567b 100644
--- a/mysql-test/t/win.test
+++ b/mysql-test/t/win.test
@@ -2342,5 +2342,15 @@ select rank() over (partition by 'abc' order by 'xyz') from t1;
 drop table t1;
 
 --echo #
+--echo # MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+--echo #
+
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+drop table t1;
+
+--echo #
 --echo # End of 10.2 tests
 --echo #
diff --git a/sql/item.cc b/sql/item.cc
index 333d71ddf70..10087ef1974 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -10044,6 +10044,8 @@ bool Item_cache_str::cache_value()
     value_buff.copy(*value);
     value= &value_buff;
   }
+  else
+    value_buff.copy();
   return TRUE;
 }