MDEV-29351 SIGSEGV when doing forward reference of item in select list

The reason for the crash was the code assumed that
SELECT_LEX.ref_pointer_array would be initialized with zero, which was
not the case. This cause the test of
if (!select->ref_pointer_array[counter]) in item.cc to be unpredictable
and causes crashes.

Fixed by zero-filling ref_pointer_array on allocation.

mysql-test/main/group_by.result

@@ -2987,3 +2987,15 @@ drop table t20, t21, t22;
 #
 # End of 10.3 tests
 #
+#
+# MDEV-29351 SIGSEGV when doing forward reference of item in select list
+#
+CREATE TABLE t1 (a INT);
+UPDATE t1 SET c=1 ORDER BY (SELECT c);
+ERROR 42S22: Reference 'c' not supported (forward reference in item list)
+UPDATE t1 SET c=1 ORDER BY (SELECT c);
+ERROR 42S22: Reference 'c' not supported (forward reference in item list)
+DROP TABLE t1;
+#
+# End of 10.5 tests
+#

mysql-test/main/group_by.test

@@ -2140,3 +2140,18 @@ drop table t20, t21, t22;
 --echo #
 --echo # End of 10.3 tests
 --echo #
+
+--echo #
+--echo # MDEV-29351 SIGSEGV when doing forward reference of item in select list
+--echo #
+
+CREATE TABLE t1 (a INT);
+--error ER_ILLEGAL_REFERENCE
+UPDATE t1 SET c=1 ORDER BY (SELECT c);
+--error ER_ILLEGAL_REFERENCE
+UPDATE t1 SET c=1 ORDER BY (SELECT c);
+DROP TABLE t1;
+
+--echo #
+--echo # End of 10.5 tests
+--echo #

sql/sql_lex.cc

@@ -3632,7 +3632,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
     return false;
 
   Item **array= static_cast<Item**>(
-    thd->active_stmt_arena_to_use()->alloc(sizeof(Item*) * n_elems));
+    thd->active_stmt_arena_to_use()->calloc(sizeof(Item*) * n_elems));
   if (likely(array != NULL))
     ref_pointer_array= Ref_ptr_array(array, n_elems);
   return array == NULL;