BUG#36297142 - mysqld crash at vector::get_dot for ASAN

kaankara · kaankara · commit 889a66a0e7e3 · 2024-02-16T09:21:11.000Z
Problem
=======
- At udf_handler::get_and_convert_string, we get a String*
result pointer, which might be the address of Item::str_value.
We then call c_ptr_safe() on this, so the buffer of
Item::str_value gets reallocated.
- Queries which have UDFs consuming the same argument more
than once, the Item_ref has the same ref_item, with the same
underlying str_value.
Example: SELECT UDF(col1, col1) FROM view_t1;
- In such cases, when setting the m_ptr of Item::str_value
directly (while processing the second argument), we free the
buffer that we had allocated at c_ptr_safe(), at the time of
processing the first argument.
- As a result, the UDF will try to read a buffer that has
been freed, causing the ASAN issue.

Solution
========
- The root cause is that the udf_handler changes contents
of Item::str_value directly. Instead of doing that, assign
the contents of Item::str_value to udf_handler local buffers.
Note that this is not a deep string copy.
- Any further calls to c_ptr_safe() will not modify
Item::str_value object, avoiding the issue.

Change-Id: Ib3d6e1d52825dafbc1e495f5f45f8fac75bc90f1
diff --git a/sql/item_func.cc b/sql/item_func.cc
@@ -4980,19 +4980,28 @@ void udf_handler::get_string(uint index) {
 bool udf_handler::get_and_convert_string(uint index) {
   String *res = args[index]->val_str(&buffers[index]);
 
-  /* m_args_extension.charset_info[index] is a legitimate charset */
-  if (res != nullptr && m_args_extension.charset_info[index] != nullptr) {
-    if (res->charset() != m_args_extension.charset_info[index]) {
+  if (!args[index]->null_value) {
+    auto check_charset = m_args_extension.charset_info[index];
+    if (check_charset != nullptr && res->charset() != check_charset) {
+      /* m_args_extension.charset_info[index] is a legitimate charset */
       String temp;
       uint dummy;
       if (temp.copy(res->ptr(), res->length(), res->charset(),
                     m_args_extension.charset_info[index], &dummy)) {
         return true;
       }
       *res = std::move(temp);
+    } else if (res != &buffers[index]) {
+      /* The res returned above is &Item::str_value
+       * We may call c_ptr_safe() below, reallocating the buffer of
+       * Item::str_value If we set the str_value m_ptr directly somewhere, the
+       * allocated buffer at c_ptr_safe() will be freed, before the UDF is able
+       * to use it. So, instead of changing Item::str_value, copy its contents
+       * to udf_handler::buffers and use that instead.
+       */
+      buffers[index] = *res;
+      res = &buffers[index];
     }
-  }
-  if (!args[index]->null_value) {
     f_args.args[index] = res->c_ptr_safe();
     f_args.lengths[index] = res->length();
   } else {
