From fc794fd8ffaafde85db9feccc694060707657c99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20M=C3=A4kel=C3=A4?= <marko.makela@mariadb.com>
Date: Tue, 13 Sep 2022 08:58:34 +0300
Subject: [PATCH] MDEV-29520 heap-use-after-poison in row_merge_spatial_rows()

row_merge_read_clustered_index(): Do not call mem_heap_empty(row_heap)
before row_merge_spatial_rows() has been able to read the data.
---
 .../suite/innodb_gis/r/alter_spatial_index.result  | 10 ++++++++++
 .../suite/innodb_gis/t/alter_spatial_index.test    | 14 ++++++++++++++
 storage/innobase/row/row0merge.cc                  |  6 ++++--
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/mysql-test/suite/innodb_gis/r/alter_spatial_index.result b/mysql-test/suite/innodb_gis/r/alter_spatial_index.result
index 7c539bcdbf4..e6ac128bf9f 100644
--- a/mysql-test/suite/innodb_gis/r/alter_spatial_index.result
+++ b/mysql-test/suite/innodb_gis/r/alter_spatial_index.result
@@ -785,3 +785,13 @@ CREATE OR REPLACE TABLE t1 (a INT) ENGINE=InnoDB;
 ALTER TABLE t1 ADD COLUMN b POINT DEFAULT '0';
 ERROR 22003: Cannot get geometry object from data you send to the GEOMETRY field
 DROP TABLE t1;
+#
+# MDEV-29520 heap-use-after-poison in row_merge_spatial_rows()
+#
+CREATE TABLE t
+(a VARCHAR(8192), b POINT NOT NULL, PRIMARY KEY(a(8)), SPATIAL(b))
+ENGINE=InnoDB;
+INSERT INTO t VALUES (REPEAT('MariaDB Corporation Ab ',351),POINT(0,0));
+ALTER TABLE t FORCE;
+DROP TABLE t;
+# End of 10.3 tests
diff --git a/mysql-test/suite/innodb_gis/t/alter_spatial_index.test b/mysql-test/suite/innodb_gis/t/alter_spatial_index.test
index 2039e2d1c39..4cfa1daf657 100644
--- a/mysql-test/suite/innodb_gis/t/alter_spatial_index.test
+++ b/mysql-test/suite/innodb_gis/t/alter_spatial_index.test
@@ -780,3 +780,17 @@ CREATE OR REPLACE TABLE t1 (a INT) ENGINE=InnoDB;
 ALTER TABLE t1 ADD COLUMN b POINT DEFAULT '0';
 DROP TABLE t1;
 
+--echo #
+--echo # MDEV-29520 heap-use-after-poison in row_merge_spatial_rows()
+--echo #
+
+CREATE TABLE t
+(a VARCHAR(8192), b POINT NOT NULL, PRIMARY KEY(a(8)), SPATIAL(b))
+ENGINE=InnoDB;
+INSERT INTO t VALUES (REPEAT('MariaDB Corporation Ab ',351),POINT(0,0));
+ALTER TABLE t FORCE;
+
+# Cleanup
+DROP TABLE t;
+
+--echo # End of 10.3 tests
diff --git a/storage/innobase/row/row0merge.cc b/storage/innobase/row/row0merge.cc
index 31e323d423c..8b1b206f4e8 100644
--- a/storage/innobase/row/row0merge.cc
+++ b/storage/innobase/row/row0merge.cc
@@ -1924,8 +1924,6 @@ row_merge_read_clustered_index(
 		row_ext_t*	ext;
 		page_cur_t*	cur	= btr_pcur_get_page_cur(&pcur);
 
-		mem_heap_empty(row_heap);
-
 		page_cur_move_to_next(cur);
 
 		stage->n_pk_recs_inc();
@@ -1957,6 +1955,8 @@ row_merge_read_clustered_index(
 				goto func_exit;
 			}
 
+			mem_heap_empty(row_heap);
+
 			if (!mtr.is_active()) {
 				goto scan_next;
 			}
@@ -2031,6 +2031,8 @@ end_of_index:
 
 				ut_ad(!page_cur_is_after_last(cur));
 			}
+		} else {
+			mem_heap_empty(row_heap);
 		}
 
 		rec = page_cur_get_rec(cur);