revision-id: d835a82fc55a6826a40345e04f3a5164a10e46dd (mariadb-10.2.29-50-gd835a82fc55) parent(s): 301a5e487bb625b41543f11626ab524ad348d0ba author: Varun Gupta committer: Varun Gupta timestamp: 2019-12-10 19:43:56 +0530 message: MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data For window functions when the values need to be cached, make sure to create a copy as the values that need to be cached because these point to the fields of the temporary table(Field::Ptr). These temp tables are freed when one calls join->join_free() --- mysql-test/r/win.result | 9 +++++++++ mysql-test/t/win.test | 10 ++++++++++ sql/item.cc | 12 ++++++++++++ sql/item.h | 2 +- 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/win.result b/mysql-test/r/win.result index b543863bc50..3a45b6237aa 100644 --- a/mysql-test/r/win.result +++ b/mysql-test/r/win.result @@ -3661,5 +3661,14 @@ x y z 10 7 10 drop table t1; # +# MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data +# +CREATE TABLE t1 (i int); +INSERT INTO t1 VALUES (1),(2),(3); +SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x; +x +foo +drop table t1; +# # End of 10.2 tests # diff --git a/mysql-test/t/win.test b/mysql-test/t/win.test index 79a357b3b34..411429bf676 100644 --- a/mysql-test/t/win.test +++ b/mysql-test/t/win.test @@ -2363,6 +2363,16 @@ FROM t1; drop table t1; +--echo # +--echo # MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data +--echo # + +CREATE TABLE t1 (i int); +INSERT INTO t1 VALUES (1),(2),(3); + +SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x; +drop table t1; + --echo # --echo # End of 10.2 tests --echo # diff --git a/sql/item.cc b/sql/item.cc index 333d71ddf70..528282f74c2 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -10044,6 +10044,18 @@ bool Item_cache_str::cache_value() value_buff.copy(*value); value= &value_buff; } + else if (example->type() == Item::WINDOW_FUNC_ITEM) + { + /* + For window functions make sure to create a copy as the values that + need to be cached because these point to the fields of the temporary + table(Field::Ptr). These temp tables are freed when one calls + join->join_free() + */ + value_buff2.set(buffer, sizeof(buffer), example->collation.collation); + value_buff2.copy(*value); + value= &value_buff2; + } return TRUE; } diff --git a/sql/item.h b/sql/item.h index ff4cfd6c1b8..0696162d0f9 100644 --- a/sql/item.h +++ b/sql/item.h @@ -5813,7 +5813,7 @@ class Item_cache_decimal: public Item_cache class Item_cache_str: public Item_cache { char buffer[STRING_BUFFER_USUAL_SIZE]; - String *value, value_buff; + String *value, value_buff, value_buff2; bool is_varbinary; public: