Bug#35395965 heap-use-after-free with functions, procedure

 and Item_func_in::populate_bisection As part of a performance improvement, m_const_array is introduced to save IN list items across execution. This list is populated either at the end of preparation or at the start of execution based on the nature of its objects. Some of its elements (String class object) have memory allocated from runtime memory (example: input constants) that are not valid after the end of the current execution. Ownership of such memory is not passed to the String object at the assignment. But reuse is attempted in subsequent runs that can lead to unexpected behavior. Fix: Release all runtime memory and cleanup pointers in m_const_array at the end of statement execution. Change-Id: Ib56b047c54b1b0d9428e9ed515e097ab4e0d5e4d

Author: Ajo Robert

sql/item_cmpfunc.cc

@@ -4375,22 +4375,24 @@ in_string::in_string(MEM_ROOT *mem_root, uint elements, const CHARSET_INFO *cs)
  }
 }
 
+void in_string::cleanup() {
+ // Clear reference pointers and free any memory allocated for holding data.
+ for (uint i = 0; i < m_used_size; i++) {
+ String *str = base_pointers[i];
+ str->set(static_cast<const char *>(nullptr), 0, str->charset());
+ }
+}
+
 void in_string::set(uint pos, Item *item) {
  String *str = base_pointers[pos];
  String *res = eval_string_arg(collation, item, str);
- if (res && res != str) {
- if (res->uses_buffer_owned_by(str)) res->copy();
- if (item->type() == Item::FUNC_ITEM)
- str->copy(*res);
- else
- *str = *res;
- }
- if (!str->charset()) {
- const CHARSET_INFO *cs;
- if (!(cs = item->collation.collation))
- cs = &my_charset_bin; // Should never happen for STR items
- str->set_charset(cs);
- }
+ if (res == nullptr || res == str) return;
+
+ if (res->uses_buffer_owned_by(str)) res->copy();
+ if (item->type() == Item::FUNC_ITEM)
+ str->copy(*res);
+ else
+ *str = *res;
 }
 
 static int srtcmp_in(const CHARSET_INFO *cs, const String *x, const String *y) {
@@ -5371,7 +5373,10 @@ void Item_func_in::cleanup() {
  DBUG_TRACE;
  Item_int_func::cleanup();
  // Trigger re-population in next execution (if bisection is used)
- if (m_need_populate) m_populated = false;
+ if (m_need_populate) {
+ if (m_const_array != nullptr) m_const_array->cleanup();
+ m_populated = false;
+ }
 
  if (!first_resolve_call) {
  /*

sql/item_cmpfunc.h

@@ -1629,6 +1629,7 @@ class in_vector {
  @return true if any null values was found, false otherwise.
  */
  bool fill(Item **items, uint item_count);
+ virtual void cleanup() {}
 
  private:
  virtual void set(uint pos, Item *item) = 0;
@@ -1655,6 +1656,7 @@ class in_string final : public in_vector {
  }
  bool find_item(Item *item) override;
  bool compare_elems(uint pos1, uint pos2) const override;
+ void cleanup() override;
 
  private:
  void set(uint pos, Item *item) override;