MDEV-18734 ASAN heap-use-after-free upon sorting by blob column from partitioned table

ha_partition stores records in array of m_ordered_rec_buffer and uses
it for prio queue in ordered index scan. When the records are restored
from the array the blob buffers may be already freed or rewritten.

The solution is to take temporary ownership of cached blob buffers via
String::swap(). When the record is restored from m_ordered_rec_buffer
the ownership is returned to table fields.

Cleanups:

init_record_priority_queue(): removed needless !m_ordered_rec_buffer
check as there is same assertion few lines before.

dbug_print_row() for arbitrary row pointer

2 files changed, 61 insertions, 0 deletions

diff --git a/mysql-test/suite/federated/federated_partition.result b/mysql-test/suite/federated/federated_partition.result
index a2d5fcffd9b..cce5e3cf3e6 100644
--- a/mysql-test/suite/federated/federated_partition.result
+++ b/mysql-test/suite/federated/federated_partition.result
@@ -46,6 +46,42 @@ connection slave;
 drop table federated.t1_1;
 drop table federated.t1_2;
 End of 5.1 tests
+#
+# MDEV-18734 ASAN heap-use-after-free upon sorting by blob column from partitioned table
+#
+connection slave;
+use federated;
+create table t1_1 (x int, b text, key(x));
+create table t1_2 (x int, b text, key(x));
+connection master;
+create table t1 (x int, b text, key(x)) engine=federated
+partition by range columns (x) (
+partition p1 values less than (40) connection='mysql://root@127.0.0.1:SLAVE_PORT/federated/t1_1',
+partition pn values less than (maxvalue) connection='mysql://root@127.0.0.1:SLAVE_PORT/federated/t1_2'
+);
+insert t1 values (1, 1), (2, 2), (3, 3), (4, 4), (5, 5), (6, 6), (7, 7), (8, 8);
+insert t1 select x + 8, x + 8 from t1;
+insert t1 select x + 16, x + 16 from t1;
+insert t1 select x + 49, repeat(x + 49, 100) from t1;
+flush tables;
+# This produces wrong result before MDEV-17573
+select x, left(b, 10) from t1 where x > 30 and x < 60 order by b;
+x	left(b, 10)
+31	31
+32	32
+50	5050505050
+51	5151515151
+52	5252525252
+53	5353535353
+54	5454545454
+55	5555555555
+56	5656565656
+57	5757575757
+58	5858585858
+59	5959595959
+drop table t1;
+connection slave;
+drop table t1_1, t1_2;
 connection master;
 DROP TABLE IF EXISTS federated.t1;
 DROP DATABASE IF EXISTS federated;
diff --git a/mysql-test/suite/federated/federated_partition.test b/mysql-test/suite/federated/federated_partition.test
index ef1e27ec505..c5c8433b4cf 100644
--- a/mysql-test/suite/federated/federated_partition.test
+++ b/mysql-test/suite/federated/federated_partition.test
@@ -50,4 +50,29 @@ drop table federated.t1_2;
 
 --echo End of 5.1 tests
 
+--echo #
+--echo # MDEV-18734 ASAN heap-use-after-free upon sorting by blob column from partitioned table
+--echo #
+connection slave;
+use federated;
+create table t1_1 (x int, b text, key(x));
+create table t1_2 (x int, b text, key(x));
+connection master;
+--replace_result $SLAVE_MYPORT SLAVE_PORT
+eval create table t1 (x int, b text, key(x)) engine=federated
+  partition by range columns (x) (
+  partition p1 values less than (40) connection='mysql://root@127.0.0.1:$SLAVE_MYPORT/federated/t1_1',
+  partition pn values less than (maxvalue) connection='mysql://root@127.0.0.1:$SLAVE_MYPORT/federated/t1_2'
+);
+insert t1 values (1, 1), (2, 2), (3, 3), (4, 4), (5, 5), (6, 6), (7, 7), (8, 8);
+insert t1 select x + 8, x + 8 from t1;
+insert t1 select x + 16, x + 16 from t1;
+insert t1 select x + 49, repeat(x + 49, 100) from t1;
+flush tables;
+--echo # This produces wrong result before MDEV-17573
+select x, left(b, 10) from t1 where x > 30 and x < 60 order by b;
+drop table t1;
+connection slave;
+drop table t1_1, t1_2;
+
 source include/federated_cleanup.inc;