MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data

The issue here is window function makes the passed string object to point to an area in a temporary table's record buffer. Then, the temporary table is freed, together with its record buffer. Then, Item_cache_str attempts to read this value. The fix is to call value_buff.copy(). This will make the value_buff to store its string in a buffer that it owns, which will not disappear unexpectedly.
author: Varun Gupta <varun.gupta@mariadb.com> 2019-12-12 03:45:34 +0530
committer: Varun Gupta <varun.gupta@mariadb.com> 2019-12-12 03:55:46 +0530
commit: 808036a61d13d4392b6e0d9e7e9eca87a0c20495 (patch)
tree: 0daa85e0311b6b1f2c9cdf9565dc74343861d202 /mysql-test/r
parent: 546644f1ccac8300e07b9cbc918acd7f1bd51752 (diff)
download: mariadb-git-808036a61d13d4392b6e0d9e7e9eca87a0c20495.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/mysql-test/r/win.result b/mysql-test/r/win.result
index 13d452f3ef2..805fd2ed3d7 100644
--- a/mysql-test/r/win.result
+++ b/mysql-test/r/win.result
@@ -3634,5 +3634,14 @@ rank() over (partition by 'abc' order by 'xyz')
 1
 drop table t1;
 #
+# MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+#
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+x
+foo
+drop table t1;
+#
 # End of 10.2 tests
 #
author	Varun Gupta <varun.gupta@mariadb.com>	2019-12-12 03:45:34 +0530
committer	Varun Gupta <varun.gupta@mariadb.com>	2019-12-12 03:55:46 +0530
commit	808036a61d13d4392b6e0d9e7e9eca87a0c20495 (patch)
tree	0daa85e0311b6b1f2c9cdf9565dc74343861d202 /mysql-test/r
parent	546644f1ccac8300e07b9cbc918acd7f1bd51752 (diff)
download	mariadb-git-808036a61d13d4392b6e0d9e7e9eca87a0c20495.tar.gz