From b50df7bbd4f189ac6117b3ff5eb1d79fe83fa7e2 Mon Sep 17 00:00:00 2001
From: Yuchen Pei <ycp@mariadb.com>
Date: Thu, 6 Mar 2025 11:21:18 +1100
Subject: [PATCH] MDEV-36220 Correct length in memcpy saving and restoring
 found NULL record in loose index scan of min

Use reclength because rec_buff_length is the actual reclength with
padding, whose use could cause ASAN unknown-crash, presumably caused
by memory violation.
---
 mysql-test/main/group_min_max.result | 12 ++++++++++++
 mysql-test/main/group_min_max.test   | 10 ++++++++++
 sql/opt_range.cc                     |  4 ++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/mysql-test/main/group_min_max.result b/mysql-test/main/group_min_max.result
index b0155f4fd85..1716db76227 100644
--- a/mysql-test/main/group_min_max.result
+++ b/mysql-test/main/group_min_max.result
@@ -4359,5 +4359,17 @@ MAX(b)
 3
 drop table t1;
 #
+# MDEV-36220 ASAN unknown-crash in loose index scan of MIN with IS NULL
+#
+CREATE TABLE t1 (a int, b int, KEY (a, b));
+insert into t1 values (4, NULL), (1, 14), (4, 3);
+SELECT MIN(b) FROM t1 WHERE b = 3 OR b IS NULL GROUP BY a;
+MIN(b)
+3
+SELECT MIN(b) FROM t1 WHERE b IS NULL GROUP BY a;
+MIN(b)
+NULL
+drop table t1;
+#
 # End of 10.11 tests
 #
diff --git a/mysql-test/main/group_min_max.test b/mysql-test/main/group_min_max.test
index d3aae2e2321..9e62f755b08 100644
--- a/mysql-test/main/group_min_max.test
+++ b/mysql-test/main/group_min_max.test
@@ -2030,6 +2030,16 @@ if ($have_debug) {
 
 drop table t1;
 
+--echo #
+--echo # MDEV-36220 ASAN unknown-crash in loose index scan of MIN with IS NULL
+--echo #
+
+CREATE TABLE t1 (a int, b int, KEY (a, b));
+insert into t1 values (4, NULL), (1, 14), (4, 3);
+SELECT MIN(b) FROM t1 WHERE b = 3 OR b IS NULL GROUP BY a;
+SELECT MIN(b) FROM t1 WHERE b IS NULL GROUP BY a;
+drop table t1;
+
 --echo #
 --echo # End of 10.11 tests
 --echo #
diff --git a/sql/opt_range.cc b/sql/opt_range.cc
index 6985f43a623..3f9c5663b26 100644
--- a/sql/opt_range.cc
+++ b/sql/opt_range.cc
@@ -16017,7 +16017,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min_in_range()
         Remember this key, and continue looking for a non-NULL key that
         satisfies some other condition.
       */
-      memcpy(tmp_record, record, head->s->rec_buff_length);
+      memcpy(tmp_record, record, head->s->reclength);
       found_null= TRUE;
       continue;
     }
@@ -16057,7 +16057,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min_in_range()
   */
   if (found_null && result)
   {
-    memcpy(record, tmp_record, head->s->rec_buff_length);
+    memcpy(record, tmp_record, head->s->reclength);
     result= 0;
   }
   return result;