mirror of
https://github.com/MariaDB/server.git
synced 2025-01-17 12:32:27 +01:00
MDEV-28402 ASAN heap-use-after-free in create_tmp_table, Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'
Make default() function follow Item_field and use get_tmp_table_item() for change_to_use_tmp_fields().
This commit is contained in:
parent
624cb9735e
commit
141ab971d8
3 changed files with 40 additions and 3 deletions
|
@ -3413,4 +3413,22 @@ SELECT 1 FROM t1 GROUP BY DEFAULT(pk);
|
|||
1
|
||||
1
|
||||
DROP TABLE t1;
|
||||
#
|
||||
# MDEV-28402: ASAN heap-use-after-free in create_tmp_table,
|
||||
# Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'
|
||||
#
|
||||
CREATE TABLE t (a INT, KEY (a));
|
||||
INSERT INTO t VALUES (1),(2);
|
||||
SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP;
|
||||
DEFAULT(a) CASE a WHEN 0 THEN 1 ELSE 2 END
|
||||
NULL 2
|
||||
DROP TABLE t;
|
||||
CREATE TABLE t (a INT, KEY (a));
|
||||
INSERT INTO t VALUES (1),(2);
|
||||
CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;
|
||||
SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP;
|
||||
DEFAULT(a) CASE a WHEN 0 THEN 1 ELSE 2 END
|
||||
NULL 2
|
||||
DROP TABLE t;
|
||||
DROP VIEW v;
|
||||
# end of 10.2 test
|
||||
|
|
|
@ -2125,4 +2125,21 @@ CREATE TABLE t1 (pk varchar(36) DEFAULT uuid());
|
|||
INSERT INTO t1 VALUES (),();
|
||||
SELECT 1 FROM t1 GROUP BY DEFAULT(pk);
|
||||
DROP TABLE t1;
|
||||
|
||||
|
||||
--echo #
|
||||
--echo # MDEV-28402: ASAN heap-use-after-free in create_tmp_table,
|
||||
--echo # Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'
|
||||
--echo #
|
||||
CREATE TABLE t (a INT, KEY (a));
|
||||
INSERT INTO t VALUES (1),(2);
|
||||
SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP;
|
||||
DROP TABLE t;
|
||||
|
||||
CREATE TABLE t (a INT, KEY (a));
|
||||
INSERT INTO t VALUES (1),(2);
|
||||
CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t;
|
||||
SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP;
|
||||
DROP TABLE t;
|
||||
DROP VIEW v;
|
||||
--echo # end of 10.2 test
|
||||
|
|
|
@ -23727,12 +23727,14 @@ change_to_use_tmp_fields(THD *thd, Ref_ptr_array ref_pointer_array,
|
|||
for (uint i= 0; (item= it++); i++)
|
||||
{
|
||||
Field *field;
|
||||
if ((item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM) ||
|
||||
enum Item::Type item_type= item->type();
|
||||
if ((item->with_sum_func && item_type != Item::SUM_FUNC_ITEM) ||
|
||||
item->with_window_func)
|
||||
item_field= item;
|
||||
else if (item->type() == Item::FIELD_ITEM)
|
||||
else if (item_type == Item::FIELD_ITEM ||
|
||||
item_type == Item::DEFAULT_VALUE_ITEM)
|
||||
item_field= item->get_tmp_table_item(thd);
|
||||
else if (item->type() == Item::FUNC_ITEM &&
|
||||
else if (item_type == Item::FUNC_ITEM &&
|
||||
((Item_func*)item)->functype() == Item_func::SUSERVAR_FUNC)
|
||||
{
|
||||
field= item->get_tmp_table_field();
|
||||
|
|
Loading…
Reference in a new issue