Bug #27312862: ASAN: HEAP-USE-AFTER-FREE: UPDATEXML RB#21666 RB#21666

The xpath parsing function was using a local string buffer that was
deallocated when going out of scope. However references to it are
preserved in the XPATH parse tree. This was causing read-after-free.

Fixed by making the xpath buffer a local variable inside the Item
class for the relevant xpath function, thus being preserved for the
duration of the query.

sql/item_xmlfunc.cc

@@ -1,5 +1,5 @@
-/* Copyright (c) 2005, 2016, Oracle and/or its affiliates.
-   Copyright (c) 2009, 2017, MariaDB
+/* Copyright (c) 2005, 2019, Oracle and/or its affiliates.
+   Copyright (c) 2009, 2019, MariaDB
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -2601,7 +2601,7 @@ my_xpath_parse(MY_XPATH *xpath, const char *str, const char *strend)
 
 void Item_xml_str_func::fix_length_and_dec()
 {
-  String *xp, tmp;
+  String *xp;
   MY_XPATH xpath;
   int rc;
 
@@ -2628,7 +2628,7 @@ void Item_xml_str_func::fix_length_and_dec()
     return;
   }
 
-  if (!(xp= args[1]->val_str(&tmp)))
+  if (!(xp= args[1]->val_str(&xpath_tmp_value)))
     return;
   my_xpath_init(&xpath);
   xpath.cs= collation.collation;

sql/item_xmlfunc.h

@@ -1,8 +1,7 @@
 #ifndef ITEM_XMLFUNC_INCLUDED
 #define ITEM_XMLFUNC_INCLUDED
 
-/* Copyright (c) 2000-2007 MySQL AB, 2009 Sun Microsystems, Inc.
-   Use is subject to license terms.
+/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -31,6 +30,7 @@ class Item_xml_str_func: public Item_str_func
 protected:
   String tmp_value, pxml;
   Item *nodeset_func;
+  String xpath_tmp_value;
 public:
   Item_xml_str_func(Item *a, Item *b): 
     Item_str_func(a,b)