From 4096f35a395cee270218ae220b921af567ae26da Mon Sep 17 00:00:00 2001
From: Sergey Glukhov <sergey.glukhov@oracle.com>
Date: Mon, 13 Dec 2010 13:39:26 +0300
Subject: [PATCH] Bug#58396 group_concat and explain extended are still crashy
 Explain fails at fix_fields stage and some items are left unfixed,
 particulary Item_group_concat. Item_group_concat::orig_args field is
 uninitialized in this case and Item_group_concat::print call leads to crash.
 The fix: move the initialization of Item_group_concat::orig_args into
 constructor.

---
 mysql-test/r/func_gconcat.result | 12 ++++++++++++
 mysql-test/t/func_gconcat.test   | 11 +++++++++++
 sql/item_sum.cc                  |  2 +-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result
index de592ece285..4a79a15a2b6 100644
--- a/mysql-test/r/func_gconcat.result
+++ b/mysql-test/r/func_gconcat.result
@@ -1037,4 +1037,16 @@ INSERT INTO t1 values (0),(0);
 SELECT POLYGON((SELECT 1 FROM (SELECT 1 IN (GROUP_CONCAT(t1.f1)) FROM t1, t1 t GROUP BY t.f1 ) d));
 ERROR 22007: Illegal non geometric '(select 1 from (select (1 = group_concat(`test`.`t1`.`f1` separator ',')) AS `1 IN (GROUP_CONCAT(t1.f1))` from `test`.`t1` join `test`.`t1` `t` group by `t`.`f1`) `d`)' value found during parsing
 DROP TABLE t1;
+#
+# Bug#58396 group_concat and explain extended are still crashy
+#
+CREATE TABLE t1(a INT);
+EXPLAIN EXTENDED SELECT UPDATEXML('1', a, '1')
+FROM t1 ORDER BY (SELECT GROUP_CONCAT(1) FROM t1);
+ERROR HY000: Only constant XPATH queries are supported
+SHOW WARNINGS;
+Level	Code	Message
+Error	1105	Only constant XPATH queries are supported
+Note	1003	select updatexml('1',`test`.`t1`.`a`,'1') AS `UPDATEXML('1', a, '1')` from `test`.`t1` order by (select group_concat(1 separator ',') from `test`.`t1`)
+DROP TABLE t1;
 End of 5.1 tests
diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test
index a7072362759..1475ca082a5 100644
--- a/mysql-test/t/func_gconcat.test
+++ b/mysql-test/t/func_gconcat.test
@@ -746,4 +746,15 @@ SELECT POLYGON((SELECT 1 FROM (SELECT 1 IN (GROUP_CONCAT(t1.f1)) FROM t1, t1 t G
 --enable_ps_protocol
 DROP TABLE t1;
 
+--echo #
+--echo # Bug#58396 group_concat and explain extended are still crashy
+--echo #
+
+CREATE TABLE t1(a INT);
+--error ER_UNKNOWN_ERROR
+EXPLAIN EXTENDED SELECT UPDATEXML('1', a, '1')
+FROM t1 ORDER BY (SELECT GROUP_CONCAT(1) FROM t1);
+SHOW WARNINGS;
+DROP TABLE t1;
+
 --echo End of 5.1 tests
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index 65f8222d38b..a60a6b3ef95 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -3003,6 +3003,7 @@ Item_func_group_concat(Name_resolution_context *context_arg,
       order_item->item= arg_ptr++;
     }
   }
+  memcpy(orig_args, args, sizeof(Item*) * arg_count);
 }
 
 
@@ -3233,7 +3234,6 @@ Item_func_group_concat::fix_fields(THD *thd, Item **ref)
   if (check_sum_func(thd, ref))
     return TRUE;
 
-  memcpy (orig_args, args, sizeof (Item *) * arg_count);
   fixed= 1;
   return FALSE;
 }