Bug#18928848 II. MALLOC OF UNINITIALIZED MEMORY SIZE

Several string functions have optimizations for constant
sub-expressions which lead to setting max_length == 0.

For subqueries, where we need a temporary table to holde the result,
we need to ensure that we use a VARCHAR(0) column rather than a
CHAR(0) column when such expressions take part in grouping.
With CHAR(0) end_update() may write garbage into the next field.

1 files changed, 14 insertions, 3 deletions

diff --git a/sql/item.cc b/sql/item.cc
index 10ba48ab1c8..96f15b92a54 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -5241,7 +5241,7 @@ bool Item::eq_by_collation(Item *item, bool binary_cmp, CHARSET_INFO *cs)
 
   If max_length > CONVERT_IF_BIGGER_TO_BLOB create a blob @n
   If max_length > 0 create a varchar @n
-  If max_length == 0 create a CHAR(0) 
+  If max_length == 0 create a CHAR(0) (or VARCHAR(0) if we are grouping)
 
   @param table		Table for which the field is created
 */
@@ -5259,8 +5259,19 @@ Field *Item::make_string_field(TABLE *table)
     field= new Field_varstring(max_length, maybe_null, name, table->s,
                                collation.collation);
   else
-    field= new Field_string(max_length, maybe_null, name,
-                            collation.collation);
+  {
+    /*
+     marker == 4 : see create_tmp_table()
+     With CHAR(0) end_update() may write garbage into the next field.
+    */
+    if (max_length == 0 && marker == 4 && maybe_null &&
+        field_type() == MYSQL_TYPE_VAR_STRING && type() != Item::TYPE_HOLDER)
+      field= new Field_varstring(max_length, maybe_null, name, table->s,
+                                 collation.collation);
+    else
+      field= new Field_string(max_length, maybe_null, name,
+                              collation.collation);
+  }
   if (field)
     field->init(table);
   return field;