From 160d97a4aaacbefb7f91a7e30a79b4d7937468a8 Mon Sep 17 00:00:00 2001
From: Aleksey Midenkov <midenok@gmail.com>
Date: Thu, 5 Aug 2021 23:48:02 +0300
Subject: MDEV-18734 ASAN heap-use-after-free upon sorting by blob column from
 partitioned table

ha_partition stores records in array of m_ordered_rec_buffer and uses
it for prio queue in ordered index scan. When the records are restored
from the array the blob buffers may be already freed or rewritten.

The solution is to take temporary ownership of cached blob buffers via
String::swap(). When the record is restored from m_ordered_rec_buffer
the ownership is returned to table fields.

Cleanups:

init_record_priority_queue(): removed needless !m_ordered_rec_buffer
check as there is same assertion few lines before.

dbug_print_row() for arbitrary row pointer
---
 sql/filesort.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'sql/filesort.cc')

diff --git a/sql/filesort.cc b/sql/filesort.cc
index d76c39c3bd4..8b019caf8f5 100644
--- a/sql/filesort.cc
+++ b/sql/filesort.cc
@@ -608,6 +608,15 @@ const char* dbug_print_table_row(TABLE *table)
 }
 
 
+const char* dbug_print_row(TABLE *table, uchar *rec)
+{
+  table->move_fields(table->field, rec, table->record[0]);
+  const char* ret= dbug_print_table_row(table);
+  table->move_fields(table->field, table->record[0], rec);
+  return ret;
+}
+
+
 /*
   Print a text, SQL-like record representation into dbug trace.
 
-- 
cgit v1.2.1