From 26c30f2f7dbb0df7bd7caa226a4b0d9131c283eb Mon Sep 17 00:00:00 2001
From: "sergefp@mysql.com" <>
Date: Wed, 8 Nov 2006 02:26:50 +0300
Subject: [PATCH] BUG#24056: Crash in subquery: Don't assume that condition
 that was pushed down into subquery has produced exactly one KEY_FIELD element
 - it could produce several or none at all, handle all of those cases.

---
 sql/sql_select.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index f92217302f8..cfc068cec86 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -2951,10 +2951,12 @@ add_key_fields(JOIN *join, KEY_FIELD **key_fields, uint *and_level,
           join->unit->item->substype() == Item_subselect::IN_SUBS &&
           !join->unit->first_select()->next_select())
       {
+        KEY_FIELD *save= *key_fields;
         add_key_fields(join, key_fields, and_level, cond, usable_tables,
                        sargables);
         // Indicate that this ref access candidate is for subquery lookup:
-        (*key_fields)[-1].outer_ref= TRUE;
+        for (; save != *key_fields; save++)
+          save->outer_ref= TRUE;
       }
       return;
     }