MDEV-26508 heap-use-after-free in Item_default_value::walk on 2nd SP runbb-10.2-nikita-MDEV-26508

The bug is a regression of c47e4aab62c6.

In Item_default_value::enchant_default_with_arg_processor `arg` argument is
set with f_item from values list.

Then on the 2nd execution this item turns out to be freed.

This is because of check_fields() call where value items are subctituted
the temporary ones with thd->change_item_tree().

Solution: we should keep Item_default_value::arg clean after SP run.
Thus, register the change of the item tree. After SP run NULL will be set
back to Item_default_value::arg.

2 files changed, 7 insertions, 2 deletions

diff --git a/sql/item.cc b/sql/item.cc
index 6e5d2ee45a2..a4fdeebb75e 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -9051,7 +9051,11 @@ error:
 
 bool Item_default_value::enchant_default_with_arg_processor(void *proc_arg)
 {
-  if (!arg) arg= (Item *)proc_arg;
+  void **arg_arr= (void**)proc_arg;
+  THD *thd= (THD*)arg_arr[0];
+  Item *item= (Item*)arg_arr[1];
+  if (!arg)
+    thd->change_item_tree(&arg, (Item *)item);
   return 0;
 }
 
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
index a6c07600591..a41c69d3522 100644
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -7203,7 +7203,8 @@ void setup_defaults(THD *thd, List<Item> &fields, List<Item> &values)
 
   for (Item *value= vit++, *f_item= fit++; value; value= vit++, f_item= fit++)
   {
-    value->walk(&Item::enchant_default_with_arg_processor, false, f_item);
+    void *arg[2]= {thd, f_item};
+    value->walk(&Item::enchant_default_with_arg_processor, false, arg);
   }
 }