MDEV-28996 ASAN errors in String::q_append / spider_string::q_append / spider_db_mbase_util::open_item_func

The server crashed due to the stack-use-after-scope on tmp_str. tmp_str will be used later so should not point to the local buffer.
2025-01-16 12:02:42 +01:00 · 2022-07-01 21:41:45 +09:00 · 2022-07-01 21:41:45 +09:00 · 4e9206736c
commit 4e9206736c
parent 162c150505
4 changed files with 90 additions and 9 deletions
--- a/storage/spider/mysql-test/spider/bugfix/r/mdev_28996.result
+++ b/storage/spider/mysql-test/spider/bugfix/r/mdev_28996.result
@ -0,0 +1,34 @@
+#
+# MDEV-28996 ASAN errors in String::q_append / spider_string::q_append / spider_db_mbase_util::open_item_func
+#
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
+connection child2_1;
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+CREATE TABLE tbl_a (
+a CHAR(8)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+INSERT INTO tbl_a VALUES ('foo'),('bar');
+connection master_1;
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+CREATE TABLE tbl_a (
+a CHAR(8)
+) ENGINE=Spider DEFAULT CHARSET=utf8 COMMENT='table "tbl_a", srv "s_2_1"';
+SELECT MAX(BINARY a) FROM tbl_a;
+MAX(BINARY a)
+foo
+DROP DATABASE auto_test_local;
+connection child2_1;
+DROP DATABASE auto_test_remote;
+for master_1
+for child2
+child2_1
+child2_2
+child2_3
+for child3
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.cnf
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.cnf
@ -0,0 +1,3 @@
+!include include/default_mysqld.cnf
+!include ../my_1_1.cnf
+!include ../my_2_1.cnf
--- a/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.test
+++ b/storage/spider/mysql-test/spider/bugfix/t/mdev_28996.test
@ -0,0 +1,40 @@
+--echo #
+--echo # MDEV-28996 ASAN errors in String::q_append / spider_string::q_append / spider_db_mbase_util::open_item_func
+--echo #
+
+--disable_query_log
+--disable_result_log
+--source ../t/test_init.inc
+--enable_query_log
+--enable_result_log
+
+--connection child2_1
+CREATE DATABASE auto_test_remote;
+USE auto_test_remote;
+
+eval CREATE TABLE tbl_a (
+  a CHAR(8)
+) $CHILD2_1_ENGINE $CHILD2_1_CHARSET;
+
+INSERT INTO tbl_a VALUES ('foo'),('bar');
+
+--connection master_1
+CREATE DATABASE auto_test_local;
+USE auto_test_local;
+
+eval CREATE TABLE tbl_a (
+  a CHAR(8)
+) $MASTER_1_ENGINE $MASTER_1_CHARSET COMMENT='table "tbl_a", srv "s_2_1"';
+
+SELECT MAX(BINARY a) FROM tbl_a;
+
+DROP DATABASE auto_test_local;
+
+--connection child2_1
+DROP DATABASE auto_test_remote;
+
+--disable_query_log
+--disable_result_log
+--source ../t/test_deinit.inc
+--enable_query_log
+--enable_result_log
--- a/storage/spider/spd_db_mysql.cc
+++ b/storage/spider/spd_db_mysql.cc
@ -4039,6 +4039,7 @@ int spider_db_mbase_util::open_item_func(
  int error_num;
  Item *item, **item_list = item_func->arguments();
  Field *field;
+  spider_string tmp_str;
  uint roop_count, item_count = item_func->argument_count(), start_item = 0;
  const char *func_name = SPIDER_SQL_NULL_CHAR_STR,
    *separator_str = SPIDER_SQL_NULL_CHAR_STR,
@ -4491,10 +4492,11 @@ int spider_db_mbase_util::open_item_func(

          if (str)
          {
-            char tmp_buf[MAX_FIELD_WIDTH], *tmp_ptr, *tmp_ptr2;
-            spider_string tmp_str(tmp_buf, MAX_FIELD_WIDTH, str->charset());
+            char *tmp_ptr, *tmp_ptr2;
+            DBUG_ASSERT(tmp_str.length() == 0);
+            tmp_str.set_charset(str->charset());
            tmp_str.init_calc_mem(123);
-            tmp_str.length(0);
+            tmp_str.reserve(MAX_FIELD_WIDTH);
            str->length(str->length() - SPIDER_SQL_OPEN_PAREN_LEN);
            if (!merge_func)
            {
@ -4625,10 +4627,11 @@ int spider_db_mbase_util::open_item_func(

          if (str)
          {
-            char tmp_buf[MAX_FIELD_WIDTH], *tmp_ptr, *tmp_ptr2;
-            spider_string tmp_str(tmp_buf, MAX_FIELD_WIDTH, str->charset());
+            char *tmp_ptr, *tmp_ptr2;
+            DBUG_ASSERT(tmp_str.length() == 0);
+            tmp_str.set_charset(str->charset());
            tmp_str.init_calc_mem(124);
-            tmp_str.length(0);
+            tmp_str.reserve(MAX_FIELD_WIDTH);
            str->length(str->length() - SPIDER_SQL_OPEN_PAREN_LEN);
            if (!merge_func)
            {
@ -4779,10 +4782,11 @@ int spider_db_mbase_util::open_item_func(

        if (str)
        {
-          char tmp_buf[MAX_FIELD_WIDTH], *tmp_ptr, *tmp_ptr2;
-          spider_string tmp_str(tmp_buf, MAX_FIELD_WIDTH, str->charset());
+          char *tmp_ptr, *tmp_ptr2;
+          DBUG_ASSERT(tmp_str.length() == 0);
+          tmp_str.set_charset(str->charset());
          tmp_str.init_calc_mem(125);
-          tmp_str.length(0);
+          tmp_str.reserve(MAX_FIELD_WIDTH);
          str->length(str->length() - SPIDER_SQL_OPEN_PAREN_LEN);
          if (!merge_func)
          {