mirror of
https://github.com/MariaDB/server.git
synced 2026-03-27 10:40:44 +01:00
bf028fa1ed
Problem: A stored procedure querying a view with `CONCAT`/`GROUP_CONCAT` could crash due to a NULL pointer dereference during query optimization. During condition pushdown, `Item_direct_ref_to_item::deep_copy` creates a clone where the clone's `ref` pointer incorrectly remains pointing to the original object's `m_item`, rather than its own. Because the clone is tethered to the original object, subsequent transformations happen on the original item instead of the clone. Calling `fix_fields` on malformed `Item_direct_ref_to_item` clone resolves to `Item_field::fix_fields` instead of `Item_ref::fix_fields` leaving the member `Item_ref::ref` uninitialized (NULL). When this is dereferenced in `Item_ref::const_item`, server crashes. Fix: The `Item_direct_ref_to_item::set_item` method is made to update the item and reference, making the clone complete. This results in correct `fix_fields` resolution, making `Item_ref::ref` safe to access. |
||
|---|---|---|
| .. | ||
| code_quality | ||
| async_queries.c | ||
| auto_increment.res | ||
| auto_increment.tst | ||
| big_record.pl | ||
| bug25714.c | ||
| check_async_queries.pl | ||
| CMakeLists.txt | ||
| connect_test.c | ||
| consistent_snapshot.pl | ||
| deadlock_test.c | ||
| drop_test.pl | ||
| export.pl | ||
| fork2_test.pl | ||
| fork_big.pl | ||
| fork_big2.pl | ||
| function.res | ||
| function.tst | ||
| grant.res | ||
| index_corrupt.pl | ||
| insert_and_repair.pl | ||
| insert_test.c | ||
| list_test.c | ||
| lock_test.pl | ||
| lock_test.res | ||
| mail_to_db.pl | ||
| myisam-big-rows.tst | ||
| mysql_client_fw.c | ||
| mysql_client_test.c | ||
| nonblock-wrappers.h | ||
| pmail.pl | ||
| rename_test.pl | ||
| restore-lock.smack | ||
| select_test.c | ||
| showdb_test.c | ||
| ssl_test.c | ||
| table_types.pl | ||
| test_delayed_insert.pl | ||
| thread_test.c | ||
| truncate.pl | ||