From 4955f6018a1af8cbaf491c22f8da7cde56321ba0 Mon Sep 17 00:00:00 2001 From: Monty Date: Wed, 9 Oct 2024 18:07:57 +0300 Subject: [PATCH] MDEV-29351 SIGSEGV when doing forward reference of item in select list The reason for the crash was the code assumed that SELECT_LEX.ref_pointer_array would be initialized with zero, which was not the case. This cause the test of if (!select->ref_pointer_array[counter]) in item.cc to be unpredictable and causes crashes. Fixed by zero-filling ref_pointer_array on allocation. --- mysql-test/main/group_by.result | 12 ++++++++++++ mysql-test/main/group_by.test | 15 +++++++++++++++ sql/sql_lex.cc | 2 +- 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/mysql-test/main/group_by.result b/mysql-test/main/group_by.result index b7bbab6dd47..881febb13a4 100644 --- a/mysql-test/main/group_by.result +++ b/mysql-test/main/group_by.result @@ -2987,3 +2987,15 @@ drop table t20, t21, t22; # # End of 10.3 tests # +# +# MDEV-29351 SIGSEGV when doing forward reference of item in select list +# +CREATE TABLE t1 (a INT); +UPDATE t1 SET c=1 ORDER BY (SELECT c); +ERROR 42S22: Reference 'c' not supported (forward reference in item list) +UPDATE t1 SET c=1 ORDER BY (SELECT c); +ERROR 42S22: Reference 'c' not supported (forward reference in item list) +DROP TABLE t1; +# +# End of 10.5 tests +# diff --git a/mysql-test/main/group_by.test b/mysql-test/main/group_by.test index 6c2b99c90be..eaa0d060fe9 100644 --- a/mysql-test/main/group_by.test +++ b/mysql-test/main/group_by.test @@ -2140,3 +2140,18 @@ drop table t20, t21, t22; --echo # --echo # End of 10.3 tests --echo # + +--echo # +--echo # MDEV-29351 SIGSEGV when doing forward reference of item in select list +--echo # + +CREATE TABLE t1 (a INT); +--error ER_ILLEGAL_REFERENCE +UPDATE t1 SET c=1 ORDER BY (SELECT c); +--error ER_ILLEGAL_REFERENCE +UPDATE t1 SET c=1 ORDER BY (SELECT c); +DROP TABLE t1; + +--echo # +--echo # End of 10.5 tests +--echo # diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc index 385131642b0..023da3567e8 100644 --- a/sql/sql_lex.cc +++ b/sql/sql_lex.cc @@ -3632,7 +3632,7 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num) return false; Item **array= static_cast( - thd->active_stmt_arena_to_use()->alloc(sizeof(Item*) * n_elems)); + thd->active_stmt_arena_to_use()->calloc(sizeof(Item*) * n_elems)); if (likely(array != NULL)) ref_pointer_array= Ref_ptr_array(array, n_elems); return array == NULL;