MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data

The issue here is window function makes the passed string object
to point to an area in a temporary table's record buffer.
Then, the temporary table is freed, together with its record buffer.
Then, Item_cache_str attempts to read this value.

The fix is to call value_buff.copy(). This will make the value_buff to store
its string in a buffer that it owns, which will not disappear unexpectedly.

mysql-test/r/win.result

@@ -3634,5 +3634,14 @@ rank() over (partition by 'abc' order by 'xyz')
 1
 drop table t1;
 #
+# MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+#
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+x
+foo
+drop table t1;
+#
 # End of 10.2 tests
 #

mysql-test/t/win.test

@@ -2341,6 +2341,16 @@ select rank() over (partition by 'abc' order by 'xyz') from t1;
 select rank() over (partition by 'abc' order by 'xyz') from t1;
 drop table t1;
 
+--echo #
+--echo # MDEV-19380: ASAN heap-use-after-free in Protocol::net_store_data
+--echo #
+
+CREATE TABLE t1 (i int);
+INSERT INTO t1 VALUES (1),(2),(3);
+
+SELECT (SELECT MIN('foo') OVER() FROM t1 LIMIT 1) as x;
+drop table t1;
+
 --echo #
 --echo # End of 10.2 tests
 --echo #

sql/item.cc

@@ -10044,6 +10044,8 @@ bool Item_cache_str::cache_value()
     value_buff.copy(*value);
     value= &value_buff;
   }
+  else
+    value_buff.copy();
   return TRUE;
 }