database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-08 11:22:35 +03:00
Code Activity

MDEV-29462 ASAN: heap-use-after-free in Binary_string::copy on DO CONVERT

Browse Source 
Item_char_typecast::val_str_generic() uses Item::str_value as a buffer.
Item::val_str_ascii() also used Item::str_value as a buffer.
As a result, str_value tried to copy to itself.

Fixing val_str_ascii() to use a local buffer instead of str_value.
This commit is contained in:
Alexander Barkov
2024-11-06 10:21:08 +04:00
parent f39217da0c
commit fdb6db6b47
3 changed files with 39 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
mysql-test/main/func_misc.test
View File

@@ -1375,6 +1375,16 @@ SELECT r as r1, r FROM cte;
select count(*) from t1 where r1!=r;
drop table t1;
--echo #
--echo # MDEV-29462 ASAN: heap-use-after-free in Binary_string::copy on DO CONVERT
--echo #
DO CONVERT (INET_ATON (CAST(LEFT (-1,1) as BINARY (30))) USING utf8);
DO FROM_BASE64(CAST((MID(UUID(),20,64)) AS BINARY (55)));
DO FROM_BASE64(CAST((MID(17653,ROW('-688:20:162697', (NULL))>=ROW(('*.)$'),(0xc254b6)),1)) AS BINARY (34)));
DO FROM_BASE64(CAST(LEFT (-1,1) as BINARY (30)));
--echo #
--echo # End of 10.5 tests
--echo #