• Alexander Barkov's avatar
    MDEV-18195 ASAN use-after-poison in my_strcasecmp_utf8 / Item::eq upon... · 17c75bd2
    Alexander Barkov authored
    MDEV-18195 ASAN use-after-poison in my_strcasecmp_utf8 / Item::eq upon prepared statement with ORDER BY NAME_CONST
    
    ASAN noticed a freed memory access during EXECUTE in this script:
      PREPARE stmt FROM "SELECT 'x' ORDER BY NAME_CONST( 'f', 'foo' )";
      EXECUTE stmt;
    
    In case of a PREPARE statement, all Items, including Item_name_const,
    are created on Prepared_statement::main_mem_root.
    Item_name_const::fix_fields() did not take this into account
    and could allocate the value of Item::name on a wrong memory root,
    in this code:
    
      if (is_autogenerated_name)
      {
        set_name(thd, item_name->c_ptr(), (uint) item_name->length(),
                 system_charset_info);
      }
    
    When fix_fields() is called in the reported SQL script, THD's arena already
    points to THD::main_mem_root rather than to Prepared_statement::main_mem_root,
    so Item::name was allocated on THD::main_mem_root.
    Then, at the end of the dispatch_command() for the PREPARE statement,
    THD::main_mem_root got cleared. So during EXECUTE, Item::name
    pointed to an already freed memory.
    
    This patch changes the code to set the implicit name for Item_name_const
    at the constructor time rather than at fix_fields time. This guarantees
    that Item_name_const and its Item::name always reside on the same memory root.
    
    Note, this change makes the code for Item_name_const symmetric with other
    constant-alike items that set their default implicit names at the constructor
    call time rather than at fix_fields() time:
    - Item_string
    - Item_int
    - Item_real
    - Item_decimal
    - Item_null
    - Item_param
    17c75bd2
item.cc 265 KB