MDEV-21589 AddressSanitizer: memcpy-param-overlap in Static_binary_string::q_append or String::append

Item_func_concat_ws::val_str(): - collects the result into the string "str" passed as a parameter. - calls val_str(&tmp_buffer) to get arguments. At some point due to heuristic it decides to swap the buffers: - collect the result into &tmp_buffer - call val_str(str) to get arguments Item_func_password::val_str_ascii() returns a String pointing to its member tmp_value[SCRAMBLED_PASSWORD_CHAR_LENGTH+1]. As a result, it's possible that both str and tmp_buffer in Item_func_concat_ws::val_str() point to Item_func_password::tmp_value. Then, memcmp() called on overlapping memory fragrments. Fixing Item_func_password::val_str_ascii() to use Item::copy() instead of Item::set().
2024-12-03 14:03:17 +04:00 · 2024-12-03 14:03:17 +04:00 · d1f42fc80f
commit d1f42fc80f
parent 54c1031b74
3 changed files with 35 additions and 2 deletions
--- a/mysql-test/main/func_concat.result
+++ b/mysql-test/main/func_concat.result
@ -287,3 +287,20 @@ SELECT CONCAT(t2,'-',t2) c2 FROM (SELECT MAKE_SET(3,t,t) t2 FROM t1) sub;
 c2
 abcdefghi,abcdefghi-abcdefghi,abcdefghi
 DROP TABLE t1;
 # Start of 10.5 tests
 #
 # MDEV-13120 Wrong results with MAKE_SET() and subquery
 #
 CREATE TABLE t1 (a DATE, b DATETIME, c VARCHAR(8));
 INSERT INTO t1 VALUES
 ('1996-03-06','1985-11-16 08:00:46','foo'),
 ('2028-08-26','1900-01-01 00:00:00','bar'),
 ('1973-05-04','1900-01-01 00:00:00','qux');
 SELECT CONCAT_WS(' ', a, b, PASSWORD(c)) AS f FROM t1 GROUP BY f WITH ROLLUP;
 f
 1973-05-04 1900-01-01 00:00:00 *6D720C5AAB5096E70AA751206B45B484E5E0121F
 1996-03-06 1985-11-16 08:00:46 *F3A2A51A9B0F2BE2468926B4132313728C250DBF
 2028-08-26 1900-01-01 00:00:00 *E8D46CE25265E545D225A8A6F1BAF642FEBEE5CB
 NULL
 DROP TABLE t1;
 # End of 10.5 tests
--- a/mysql-test/main/func_concat.test
+++ b/mysql-test/main/func_concat.test
@ -265,3 +265,19 @@ CREATE TABLE t1 (t VARCHAR(10) CHARSET latin1);
 INSERT INTO t1 VALUES('abcdefghi');
 SELECT CONCAT(t2,'-',t2) c2 FROM (SELECT MAKE_SET(3,t,t) t2 FROM t1) sub;
 DROP TABLE t1;
 --echo # Start of 10.5 tests
 --echo #
 --echo # MDEV-13120 Wrong results with MAKE_SET() and subquery
 --echo #
 CREATE TABLE t1 (a DATE, b DATETIME, c VARCHAR(8));
 INSERT INTO t1 VALUES
 ('1996-03-06','1985-11-16 08:00:46','foo'),
 ('2028-08-26','1900-01-01 00:00:00','bar'),
 ('1973-05-04','1900-01-01 00:00:00','qux');
 SELECT CONCAT_WS(' ', a, b, PASSWORD(c)) AS f FROM t1 GROUP BY f WITH ROLLUP;
 DROP TABLE t1;
 --echo # End of 10.5 tests
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@ -2241,7 +2241,7 @@ String *Item_func_password::val_str_ascii(String *str)
    if (args[0]->null_value || res->length() == 0)
      return make_empty_result(str);
    my_make_scrambled_password(tmp_value, res->ptr(), res->length());
-    str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH, &my_charset_latin1);
+    str->copy(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH, &my_charset_latin1);
    break;
  case OLD:
    if ((null_value=args[0]->null_value))
@ -2249,7 +2249,7 @@ String *Item_func_password::val_str_ascii(String *str)
    if (res->length() == 0)
      return make_empty_result(str);
    my_make_scrambled_password_323(tmp_value, res->ptr(), res->length());
-    str->set(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH_323, &my_charset_latin1);
+    str->copy(tmp_value, SCRAMBLED_PASSWORD_CHAR_LENGTH_323, &my_charset_latin1);
    break;
  default:
    DBUG_ASSERT(0);