mirror of
https://github.com/MariaDB/server.git
synced 2025-01-18 04:53:01 +01:00
Bug #37362: Crash in do_field_eq
EXPLAIN EXTENDED of nested query containing a error: 1054 Unknown column '...' in 'field list' may cause a server crash. Parse error like described above forces a call to JOIN::destroy() on malformed subquery. That JOIN::destroy function closes and frees temporary tables. However, temporary fields of these tables may be listed in st_select_lex::group_list of outer query, and that st_select_lex may not cleanup them properly. So, after the JOIN::destroy call that st_select_lex::group_list may have Item_field objects with dangling pointers to freed temporary table Field objects. That caused a crash.
This commit is contained in:
parent
2ecc941bd8
commit
480fac6107
3 changed files with 46 additions and 0 deletions
|
@ -849,4 +849,23 @@ ROW(1,2) = (SELECT 1, 1) ROW(1,2) IN (SELECT 1, 1)
|
|||
SELECT ROW(1,2) = (SELECT 1, 2), ROW(1,2) IN (SELECT 1, 2);
|
||||
ROW(1,2) = (SELECT 1, 2) ROW(1,2) IN (SELECT 1, 2)
|
||||
1 1
|
||||
CREATE TABLE t1 (a INT, b INT, c INT);
|
||||
INSERT INTO t1 VALUES (1,1,1), (1,1,1);
|
||||
EXPLAIN EXTENDED
|
||||
SELECT c FROM
|
||||
( SELECT
|
||||
(SELECT COUNT(a) FROM
|
||||
(SELECT COUNT(b) FROM t1) AS x GROUP BY c
|
||||
) FROM t1 GROUP BY b
|
||||
) AS y;
|
||||
ERROR 42S22: Unknown column 'c' in 'field list'
|
||||
SHOW WARNINGS;
|
||||
Level Code Message
|
||||
Note 1276 Field or reference 'test.t1.a' of SELECT #3 was resolved in SELECT #2
|
||||
Note 1276 Field or reference 'test.t1.c' of SELECT #3 was resolved in SELECT #2
|
||||
Error 1054 Unknown column 'c' in 'field list'
|
||||
Note 1003 select `c` AS `c` from (select (select count(`test`.`t1`.`a`) AS `COUNT(a)` from (select count(`test`.`t1`.`b`) AS `COUNT(b)` from `test`.`t1`) `x` group by `c`) AS `(SELECT COUNT(a) FROM
|
||||
(SELECT COUNT(b) FROM t1) AS x GROUP BY c
|
||||
)` from `test`.`t1` group by `test`.`t1`.`b`) `y`
|
||||
DROP TABLE t1;
|
||||
End of 5.0 tests
|
||||
|
|
|
@ -669,4 +669,23 @@ SELECT ROW(1,2) = (SELECT NULL, 1), ROW(1,2) IN (SELECT NULL, 1);
|
|||
SELECT ROW(1,2) = (SELECT 1, 1), ROW(1,2) IN (SELECT 1, 1);
|
||||
SELECT ROW(1,2) = (SELECT 1, 2), ROW(1,2) IN (SELECT 1, 2);
|
||||
|
||||
#
|
||||
# Bug #37362 Crash in do_field_eq
|
||||
#
|
||||
CREATE TABLE t1 (a INT, b INT, c INT);
|
||||
INSERT INTO t1 VALUES (1,1,1), (1,1,1);
|
||||
|
||||
--error 1054
|
||||
EXPLAIN EXTENDED
|
||||
SELECT c FROM
|
||||
( SELECT
|
||||
(SELECT COUNT(a) FROM
|
||||
(SELECT COUNT(b) FROM t1) AS x GROUP BY c
|
||||
) FROM t1 GROUP BY b
|
||||
) AS y;
|
||||
SHOW WARNINGS;
|
||||
|
||||
DROP TABLE t1;
|
||||
|
||||
|
||||
--echo End of 5.0 tests
|
||||
|
|
|
@ -2161,6 +2161,14 @@ JOIN::destroy()
|
|||
cond_equal= 0;
|
||||
|
||||
cleanup(1);
|
||||
/* Cleanup items referencing temporary table columns */
|
||||
if (!tmp_all_fields3.is_empty())
|
||||
{
|
||||
List_iterator_fast<Item> it(tmp_all_fields3);
|
||||
Item *item;
|
||||
while ((item= it++))
|
||||
item->cleanup();
|
||||
}
|
||||
if (exec_tmp_table1)
|
||||
free_tmp_table(thd, exec_tmp_table1);
|
||||
if (exec_tmp_table2)
|
||||
|
|
Loading…
Reference in a new issue