Bug #27312862: ASAN: HEAP-USE-AFTER-FREE: UPDATEXML RB#21666 RB#21666

The xpath parsing function was using a local string buffer that was
deallocated when going out of scope. However references to it are
preserved in the XPATH parse tree. This was causing read-after-free.

Fixed by making the xpath buffer a local variable inside the Item
class for the relevant xpath function, thus being preserved for the
duration of the query.

1 files changed, 4 insertions, 4 deletions

diff --git a/sql/item_xmlfunc.cc b/sql/item_xmlfunc.cc
index 90d1f598b5b..6978218fb90 100644
--- a/sql/item_xmlfunc.cc
+++ b/sql/item_xmlfunc.cc
@@ -1,5 +1,5 @@
-/* Copyright (c) 2005, 2016, Oracle and/or its affiliates.
-   Copyright (c) 2009, 2017, MariaDB
+/* Copyright (c) 2005, 2019, Oracle and/or its affiliates.
+   Copyright (c) 2009, 2019, MariaDB
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -2601,7 +2601,7 @@ my_xpath_parse(MY_XPATH *xpath, const char *str, const char *strend)
 
 void Item_xml_str_func::fix_length_and_dec()
 {
-  String *xp, tmp;
+  String *xp;
   MY_XPATH xpath;
   int rc;
 
@@ -2628,7 +2628,7 @@ void Item_xml_str_func::fix_length_and_dec()
     return;
   }
 
-  if (!(xp= args[1]->val_str(&tmp)))
+  if (!(xp= args[1]->val_str(&xpath_tmp_value)))
     return;
   my_xpath_init(&xpath);
   xpath.cs= collation.collation;