MDEV-28402 ASAN heap-use-after-free in create_tmp_table, Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'

Make default() function follow Item_field and use get_tmp_table_item() for change_to_use_tmp_fields().
2025-01-17 04:22:27 +01:00 · 2022-05-04 19:51:26 +02:00 · 2022-05-04 19:51:26 +02:00 · 141ab971d8
commit 141ab971d8
parent 624cb9735e
3 changed files with 40 additions and 3 deletions
--- a/mysql-test/r/default.result
+++ b/mysql-test/r/default.result
@ -3413,4 +3413,22 @@ SELECT 1 FROM t1 GROUP BY DEFAULT(pk);
 1
 1
 DROP TABLE t1;
+#
+# MDEV-28402: ASAN heap-use-after-free in create_tmp_table,
+# Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'
+#
+CREATE TABLE t (a INT, KEY (a));
+INSERT INTO t VALUES (1),(2);
+SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP;
+DEFAULT(a)	CASE a WHEN 0 THEN 1 ELSE 2 END
+NULL	2
+DROP TABLE t;
+CREATE TABLE t (a INT, KEY (a));
+INSERT INTO t VALUES (1),(2);
+CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;
+SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP;
+DEFAULT(a)	CASE a WHEN 0 THEN 1 ELSE 2 END
+NULL	2
+DROP TABLE t;
+DROP VIEW v;
 # end of 10.2 test
--- a/mysql-test/t/default.test
+++ b/mysql-test/t/default.test
@ -2125,4 +2125,21 @@ CREATE TABLE t1 (pk varchar(36) DEFAULT uuid());
 INSERT INTO t1 VALUES (),();
 SELECT 1 FROM t1 GROUP BY DEFAULT(pk);
 DROP TABLE t1;
+
+
+--echo #
+--echo # MDEV-28402: ASAN heap-use-after-free in create_tmp_table,
+--echo # Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'
+--echo #
+CREATE TABLE t (a INT, KEY (a));
+INSERT INTO t VALUES (1),(2);
+SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP;
+DROP TABLE t;
+
+CREATE TABLE t (a INT, KEY (a));
+INSERT INTO t VALUES (1),(2);
+CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;
+SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP;
+DROP TABLE t;
+DROP VIEW v;
 --echo # end of 10.2 test
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@ -23727,12 +23727,14 @@ change_to_use_tmp_fields(THD *thd, Ref_ptr_array ref_pointer_array,
  for (uint i= 0; (item= it++); i++)
  {
    Field *field;
-    if ((item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM) ||
+    enum Item::Type item_type= item->type();
+    if ((item->with_sum_func && item_type != Item::SUM_FUNC_ITEM) ||
       item->with_window_func)
      item_field= item;
-    else if (item->type() == Item::FIELD_ITEM)
+    else if (item_type == Item::FIELD_ITEM ||
+             item_type == Item::DEFAULT_VALUE_ITEM)
      item_field= item->get_tmp_table_item(thd);
-    else if (item->type() == Item::FUNC_ITEM &&
+    else if (item_type == Item::FUNC_ITEM &&
             ((Item_func*)item)->functype() == Item_func::SUSERVAR_FUNC)
    {
      field= item->get_tmp_table_field();