Bug #27312862: ASAN: HEAP-USE-AFTER-FREE: UPDATEXML RB#21666 RB#21666

The xpath parsing function was using a local string buffer that was
deallocated when going out of scope. However references to it are
preserved in the XPATH parse tree. This was causing read-after-free.

Fixed by making the xpath buffer a local variable inside the Item
class for the relevant xpath function, thus being preserved for the
duration of the query.

1 files changed, 2 insertions, 2 deletions

diff --git a/sql/item_xmlfunc.h b/sql/item_xmlfunc.h
index c5cc986348d..5cac858ee76 100644
--- a/sql/item_xmlfunc.h
+++ b/sql/item_xmlfunc.h
@@ -1,8 +1,7 @@
 #ifndef ITEM_XMLFUNC_INCLUDED
 #define ITEM_XMLFUNC_INCLUDED
 
-/* Copyright (c) 2000-2007 MySQL AB, 2009 Sun Microsystems, Inc.
-   Use is subject to license terms.
+/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -31,6 +30,7 @@ class Item_xml_str_func: public Item_str_func
 protected:
   String tmp_value, pxml;
   Item *nodeset_func;
+  String xpath_tmp_value;
 public:
   Item_xml_str_func(Item *a, Item *b): 
     Item_str_func(a,b)