diff options
author | Varun Gupta <varun.gupta@mariadb.com> | 2019-12-12 03:45:34 +0530 |
---|---|---|
committer | Varun Gupta <varun.gupta@mariadb.com> | 2019-12-12 03:55:46 +0530 |
commit | 808036a61d13d4392b6e0d9e7e9eca87a0c20495 (patch) | |
tree | 0daa85e0311b6b1f2c9cdf9565dc74343861d202 | |
parent | 546644f1ccac8300e07b9cbc918acd7f1bd51752 (diff) | |
download | mariadb-git-808036a61d13d4392b6e0d9e7e9eca87a0c20495.tar.gz |
MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
The issue here is window function makes the passed string object
to point to an area in a temporary table's record buffer.
Then, the temporary table is freed, together with its record buffer.
Then, Item_cache_str attempts to read this value.
The fix is to call value_buff.copy(). This will make the value_buff to store
its string in a buffer that it owns, which will not disappear unexpectedly.
-rw-r--r-- | mysql-test/r/win.result | 9 | ||||
-rw-r--r-- | mysql-test/t/win.test | 10 | ||||
-rw-r--r-- | sql/item.cc | 2 |
3 files changed, 21 insertions, 0 deletions
diff --git a/mysql-test/r/win.result b/mysql-test/r/win.result index 13d452f3ef2..805fd2ed3d7 100644 --- a/mysql-test/r/win.result +++ b/mysql-test/r/win.result @@ -3634,5 +3634,14 @@ rank() over (partition by 'abc' order by 'xyz') 1 drop table t1; # +# MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data +# +CREATE TABLE t1 (i int); +INSERT INTO t1 VALUES (1),(2),(3); +SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x; +x +foo +drop table t1; +# # End of 10.2 tests # diff --git a/mysql-test/t/win.test b/mysql-test/t/win.test index a4d42ce2b91..0f79834567b 100644 --- a/mysql-test/t/win.test +++ b/mysql-test/t/win.test @@ -2342,5 +2342,15 @@ select rank() over (partition by 'abc' order by 'xyz') from t1; drop table t1; --echo # +--echo # MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data +--echo # + +CREATE TABLE t1 (i int); +INSERT INTO t1 VALUES (1),(2),(3); + +SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x; +drop table t1; + +--echo # --echo # End of 10.2 tests --echo # diff --git a/sql/item.cc b/sql/item.cc index 333d71ddf70..10087ef1974 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -10044,6 +10044,8 @@ bool Item_cache_str::cache_value() value_buff.copy(*value); value= &value_buff; } + else + value_buff.copy(); return TRUE; } |