From 808036a61d13d4392b6e0d9e7e9eca87a0c20495 Mon Sep 17 00:00:00 2001
From: Varun Gupta <varun.gupta@mariadb.com>
Date: Thu, 12 Dec 2019 03:45:34 +0530
Subject: MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data

The issue here is window function makes the passed string object
to point to an area in a temporary table's record buffer.
Then, the temporary table is freed, together with its record buffer.
Then, Item_cache_str attempts to read this value.

The fix is to call value_buff.copy(). This will make the value_buff to store
its string in a buffer that it owns, which will not disappear unexpectedly.
---
 sql/item.cc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'sql/item.cc')

diff --git a/sql/item.cc b/sql/item.cc
index 333d71ddf70..10087ef1974 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -10044,6 +10044,8 @@ bool Item_cache_str::cache_value()
     value_buff.copy(*value);
     value= &value_buff;
   }
+  else
+    value_buff.copy();
   return TRUE;
 }
 
-- 
cgit v1.2.1