MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data

The issue here is window function makes the passed string object to point to an area in a temporary table's record buffer. Then, the temporary table is freed, together with its record buffer. Then, Item_cache_str attempts to read this value. The fix is to call value_buff.copy(). This will make the value_buff to store its string in a buffer that it owns, which will not disappear unexpectedly.
author: Varun Gupta <varun.gupta@mariadb.com> 2019-12-12 03:45:34 +0530
committer: Varun Gupta <varun.gupta@mariadb.com> 2019-12-12 03:55:46 +0530
commit: 808036a61d13d4392b6e0d9e7e9eca87a0c20495 (patch)
tree: 0daa85e0311b6b1f2c9cdf9565dc74343861d202 /sql/item.cc
parent: 546644f1ccac8300e07b9cbc918acd7f1bd51752 (diff)
download: mariadb-git-808036a61d13d4392b6e0d9e7e9eca87a0c20495.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sql/item.cc b/sql/item.cc
index 333d71ddf70..10087ef1974 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -10044,6 +10044,8 @@ bool Item_cache_str::cache_value()
     value_buff.copy(*value);
     value= &value_buff;
   }
+  else
+    value_buff.copy();
   return TRUE;
 }
author	Varun Gupta <varun.gupta@mariadb.com>	2019-12-12 03:45:34 +0530
committer	Varun Gupta <varun.gupta@mariadb.com>	2019-12-12 03:55:46 +0530
commit	808036a61d13d4392b6e0d9e7e9eca87a0c20495 (patch)
tree	0daa85e0311b6b1f2c9cdf9565dc74343861d202 /sql/item.cc
parent	546644f1ccac8300e07b9cbc918acd7f1bd51752 (diff)
download	mariadb-git-808036a61d13d4392b6e0d9e7e9eca87a0c20495.tar.gz