MDEV-34322: ASAN heap-buffer-overflow in Field::is_null / Item_param::assign_default or bogus ER_BAD_NULL_ERROR

Execution of UPDATE statement on a table that has an associated trigger
and the UPDATE statement tries to modify a column having the DEFAULT
clause, could result in either assert firing or incorrect issuing of
the ER_BAD_NULL_ERROR error.

The reason of such behaviour is that on opening of a table that has
an associated trigger, the method
  Table_triggers_list::prepare_record_accessors
called to prepare Field objects referencing TABLE::record[1] instead
of record[0]. This method allocates a new array of Field objects
as copies of original table fields but updated null_ptr data
members pointing to an array of extra_null_bitmap allocated before
that on table's mem_root. Later switch_to_nullable_trigger_fields()
is called where table' fields is switched to the new array allocated at
Table_triggers_list::prepare_record_accessors().

After that, when fill_record() is invoked to fill table fields with
values, so the make_default_field is invoked to handle the clause
DEFAULT and the function make_default_field() called to create a field
object. The function make_default_field() creates a copy of Field
object and updates its data member prt/null_tr to position their to
right place of table's record buffer, but since the method
  Table_triggers_list::prepare_record_accessors
has been invoked before, the expression
  def_field->table->s->default_values - def_field->table->record[0]
used for pointers adjustment leads to pointing to arbitrary memory not
associated with the table.

To fix the issue, use the TABLE_SHARE fields for referencing to columns
default values.

Author: dmitryshulga

mysql-test/main/ps.result

@@ -5991,3 +5991,27 @@ DROP VIEW t1;
 #
 # End of 10.4 tests
 #
+#
+# MDEV-34322: ASAN heap-buffer-overflow in Field::is_null / Item_param::assign_default or bogus ER_BAD_NULL_ERROR
+#
+CREATE TABLE t1 (a INT NOT NULL DEFAULT '0', b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+DROP TABLE t1;
+CREATE TABLE t1 (a INT NOT NULL DEFAULT (30 + 100), b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+DROP TABLE t1;
+CREATE TABLE t1 (a INT NOT NULL DEFAULT (b + 100), b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+DROP TABLE t1;
+CREATE TABLE t1 (a INT NOT NULL DEFAULT (FLOOR(RAND()*100)), b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+DROP TABLE t1;
+# End of 11.4 tests

mysql-test/main/ps.test

@@ -5447,3 +5447,36 @@ DROP VIEW t1;
 --echo #
 --echo # End of 10.4 tests
 --echo #
+
+--echo #
+--echo # MDEV-34322: ASAN heap-buffer-overflow in Field::is_null / Item_param::assign_default or bogus ER_BAD_NULL_ERROR
+--echo #
+CREATE TABLE t1 (a INT NOT NULL DEFAULT '0', b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+# Cleanup
+DROP TABLE t1;
+
+CREATE TABLE t1 (a INT NOT NULL DEFAULT (30 + 100), b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+# Cleanup
+DROP TABLE t1;
+
+CREATE TABLE t1 (a INT NOT NULL DEFAULT (b + 100), b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+# Cleanup
+DROP TABLE t1;
+
+CREATE TABLE t1 (a INT NOT NULL DEFAULT (FLOOR(RAND()*100)), b INT);
+INSERT INTO t1 VALUES (1,11);
+CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @x = NULL;
+EXECUTE IMMEDIATE "UPDATE t1 SET a = ?" USING DEFAULT;
+# Cleanup
+DROP TABLE t1;
+
+--echo # End of 11.4 tests

sql/item.cc

@@ -5241,9 +5241,36 @@ static Field *make_default_field(THD *thd, Field *field_arg)
     def_field->move_field(newptr + 1, def_field->maybe_null() ? newptr : 0, 1);
   }
   else
-    def_field->move_field_offset((my_ptrdiff_t)
-                                 (def_field->table->s->default_values -
-                                  def_field->table->record[0]));
+  {
+    if (field_arg->table->s->field != nullptr)
+    {
+      /*
+        Use fields array from TABLE_SHARE for referencing to null byte and
+        field's value on construction of a Field object for default value of
+        table column
+      */
+      Field *target= field_arg->table->s->field[field_arg->field_index];
+
+      /*
+        Set up table field's pointers ptr, null_ptr to point to corresponding
+        s->default_values parts.
+      */
+      def_field->move_field(target->ptr, target->null_ptr, target->null_bit);
+    }
+    else
+    {
+      /*
+        We get to here in case the field references a temporary table.
+        Triggers in not associated with a temporary table. Check these
+        invariants by DBUG_ASSERTs.
+      */
+      DBUG_ASSERT(field_arg->table->s->tmp_table != NO_TMP_TABLE);
+      DBUG_ASSERT(field_arg->table->triggers == nullptr);
+      def_field->move_field_offset((my_ptrdiff_t)
+                                   (def_field->table->s->default_values -
+                                    def_field->table->record[0]));
+    }
+  }
   return def_field;
 }