MDEV-18734 ASAN heap-use-after-free upon sorting by blob column from partitioned table

ha_partition stores records in array of m_ordered_rec_buffer and uses it for prio queue in ordered index scan. When the records are restored from the array the blob buffers may be already freed or rewritten. The solution is to take temporary ownership of cached blob buffers via String::swap(). When the record is restored from m_ordered_rec_buffer the ownership is returned to table fields. Cleanups: init_record_priority_queue(): removed needless !m_ordered_rec_buffer check as there is same assertion few lines before. dbug_print_row() for arbitrary row pointer
author: Aleksey Midenkov <midenok@gmail.com> 2021-08-05 23:48:02 +0300
committer: Aleksey Midenkov <midenok@gmail.com> 2021-08-05 23:48:02 +0300
commit: 160d97a4aaacbefb7f91a7e30a79b4d7937468a8 (patch)
tree: 85d605ea7c6676d46482da36d26ba081905d78cc /sql/field.cc
parent: b8deb02859bbb869159134fa20ec14cfd875e11b (diff)
download: mariadb-git-160d97a4aaacbefb7f91a7e30a79b4d7937468a8.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sql/field.cc b/sql/field.cc
index 074de35e0cf..4e6bc6b8341 100644
--- a/sql/field.cc
+++ b/sql/field.cc
@@ -8318,6 +8318,7 @@ int Field_blob::store(const char *from,uint length,CHARSET_INFO *cs)
   copy_length= copier.well_formed_copy(field_charset,
                                        (char*) value.ptr(), new_length,
                                        cs, from, length);
+  value.length(copy_length);
   Field_blob::store_length(copy_length);
   bmove(ptr+packlength,(uchar*) &tmp,sizeof(char*));
author	Aleksey Midenkov <midenok@gmail.com>	2021-08-05 23:48:02 +0300
committer	Aleksey Midenkov <midenok@gmail.com>	2021-08-05 23:48:02 +0300
commit	160d97a4aaacbefb7f91a7e30a79b4d7937468a8 (patch)
tree	85d605ea7c6676d46482da36d26ba081905d78cc /sql/field.cc
parent	b8deb02859bbb869159134fa20ec14cfd875e11b (diff)
download	mariadb-git-160d97a4aaacbefb7f91a7e30a79b4d7937468a8.tar.gz