MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data

The issue here is window function makes the passed string object to point to an area in a temporary table's record buffer. Then, the temporary table is freed, together with its record buffer. Then, Item_cache_str attempts to read this value. The fix is to call value_buff.copy(). This will make the value_buff to store its string in a buffer that it owns, which will not disappear unexpectedly.
6 years ago · 808036a61d
3 changed files with 21 additions and 0 deletions
--- a/mysql-test/r/win.result
+++ b/mysql-test/r/win.result
@ -3634,5 +3634,14 @@ rank() over (partition by 'abc' order by 'xyz')
 1
 drop table t1;
 #
+# MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+#
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+x
+foo
+drop table t1;
+#
 # End of 10.2 tests
 #
--- a/mysql-test/t/win.test
+++ b/mysql-test/t/win.test
@ -2341,6 +2341,16 @@ select rank() over (partition by 'abc' order by 'xyz') from t1;
 select rank() over (partition by 'abc' order by 'xyz') from t1;
 drop table t1;

+--echo #
+--echo # MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+--echo #
+
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+drop table t1;
+
 --echo #
 --echo # End of 10.2 tests
 --echo #
--- a/sql/item.cc
+++ b/sql/item.cc
@ -10044,6 +10044,8 @@ bool Item_cache_str::cache_value()
    value_buff.copy(*value);
    value= &value_buff;
  }
+  else
+    value_buff.copy();
  return TRUE;
 }