From 8afcda9309832f44a9ba27aaf16d08a0357c0880 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Sat, 29 Jan 2022 13:42:38 +0100
Subject: [PATCH] ASAN/valgrind errors in connect.misc test

accessing freed memory.
Before XMLCOL::WriteColumn() Tdbp->Clist gets assigned
a nodelist in

      Clist = RowNode->SelectNodes(g, Colname, Clist);

which is RowNode->Doc->Xop->nodesetval.

In XMLCOL::WriteColumn()

        ValNode = ColNode->SelectSingleNode(g, Xname, Vxnp);

calls LIBXMLDOC::GetNodeList() again, which frees the previous
XPath object Xop and replaces it with a new one.

In this case RowNode->Doc == ColNode->Doc, so Clist->Listp
points to a freed memory now.
---
 storage/connect/tabxml.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/storage/connect/tabxml.cpp b/storage/connect/tabxml.cpp
index 7357d2373c8..f17f5278c96 100644
--- a/storage/connect/tabxml.cpp
+++ b/storage/connect/tabxml.cpp
@@ -1803,6 +1803,9 @@ void XMLCOL::WriteColumn(PGLOBAL g)
     else if (Tdbp->Clist)
       ColNode = NULL;
 
+    // refresh CList in case its Listp was freed in SelectSingleNode above
+    if (Tdbp->Clist)
+      Tdbp->RowNode->SelectNodes(g, Tdbp->Colname, Tdbp->Clist);
     } // endfor i
 
   /*********************************************************************/