diff options
| author | Georgi Kodinov <georgi.kodinov@oracle.com> | 2019-03-07 14:08:19 +0100 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2019-07-24 18:32:24 +0200 |
| commit | c5e967430059212a06b1e3764030f704ca910393 (patch) | |
| tree | 067dbf9ddd5ba0ba0ecf0ab7f016f21ecd2cbb86 | |
| parent | 9c6777c03c6bdeb329865fe56a9662d15058ff9f (diff) | |
| download | mariadb-git-c5e967430059212a06b1e3764030f704ca910393.tar.gz | |
Bug #27312862: ASAN: HEAP-USE-AFTER-FREE: UPDATEXML RB#21666 RB#21666
The xpath parsing function was using a local string buffer that was
deallocated when going out of scope. However references to it are
preserved in the XPATH parse tree. This was causing read-after-free.
Fixed by making the xpath buffer a local variable inside the Item
class for the relevant xpath function, thus being preserved for the
duration of the query.
| -rw-r--r-- | sql/item_xmlfunc.cc | 8 | ||||
| -rw-r--r-- | sql/item_xmlfunc.h | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc index 90d1f598b5b..6978218fb90 100644 --- a/sql/item_xmlfunc.cc +++ b/sql/item_xmlfunc.cc @@ -1,5 +1,5 @@ -/* Copyright (c) 2005, 2016, Oracle and/or its affiliates. - Copyright (c) 2009, 2017, MariaDB +/* Copyright (c) 2005, 2019, Oracle and/or its affiliates. + Copyright (c) 2009, 2019, MariaDB This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -2601,7 +2601,7 @@ my_xpath_parse(MY_XPATH *xpath, const char *str, const char *strend) void Item_xml_str_func::fix_length_and_dec() { - String *xp, tmp; + String *xp; MY_XPATH xpath; int rc; @@ -2628,7 +2628,7 @@ void Item_xml_str_func::fix_length_and_dec() return; } - if (!(xp= args[1]->val_str(&tmp))) + if (!(xp= args[1]->val_str(&xpath_tmp_value))) return; my_xpath_init(&xpath); xpath.cs= collation.collation; diff --git a/sql/item_xmlfunc.h b/sql/item_xmlfunc.h index c5cc986348d..5cac858ee76 100644 --- a/sql/item_xmlfunc.h +++ b/sql/item_xmlfunc.h @@ -1,8 +1,7 @@ #ifndef ITEM_XMLFUNC_INCLUDED #define ITEM_XMLFUNC_INCLUDED -/* Copyright (c) 2000-2007 MySQL AB, 2009 Sun Microsystems, Inc. - Use is subject to license terms. +/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -31,6 +30,7 @@ class Item_xml_str_func: public Item_str_func protected: String tmp_value, pxml; Item *nodeset_func; + String xpath_tmp_value; public: Item_xml_str_func(Item *a, Item *b): Item_str_func(a,b) |