database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

MDEV-18738 ASAN heap-use-after-free in copy_if_not_alloced / copy_fields

Browse Source 
copy_if_not_alloced() did not handle situations when
"from" is a constant string pointing to a substring of "to",
so this code part freed "to" but then tried to copy its old (already freed)
content to a new buffer:

  if (to->realloc(from_length))
    return from;
  if ((to->str_length=MY_MIN(from->str_length,from_length)))
    memcpy(to->Ptr,from->Ptr,to->str_length);

Adding a new code piece that catches such constant substrings
and propery reallocs "to" to preserve its important part referenced
by "from".
This commit is contained in:
Alexander Barkov
2019-04-30 10:53:59 +04:00
parent 021c7216c0
commit 5fb6444a37
3 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
mysql-test/r/func_str.result
View File

@ -4757,5 +4757,32 @@ YQ== 61
Yq== 62
DROP TABLE t1;
#
# MDEV-18738 ASAN heap-use-after-free in copy_if_not_alloced / copy_fields
#
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(2);
SELECT REPLACE( CAST( CURDATE() AS BINARY ), CURDATE(), REPEAT('a',32) ) AS f FROM t1 GROUP BY f;
f
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
DROP TABLE t1;
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(2);
SELECT REPLACE( LEFT( CURDATE(), 4), LEFT(CURDATE(),4), REPEAT('a',32) ) AS f FROM t1 GROUP BY f;
f
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
DROP TABLE t1;
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(2);
SELECT REPLACE(RIGHT(CURDATE(), 4), RIGHT(CURDATE(),4), REPEAT('a',32)) AS f FROM t1 GROUP BY f;
f
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
DROP TABLE t1;
CREATE TABLE t1 (a INT);
INSERT INTO t1 VALUES (1),(2);
SELECT REPLACE(SUBSTR(CURDATE(),2,3), SUBSTR(CURDATE(),2,3), REPEAT('a',32)) AS f FROM t1 GROUP BY f;
f
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
DROP TABLE t1;
#
# End of 10.1 tests
#