• Gleb Shchepa's avatar
    backport: Bug #55568 from 5.1-security to 5.0-security · 47bb750c
    Gleb Shchepa authored
    > revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h
    > parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53
    > committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
    > branch nick: 5.1-security
    > timestamp: Tue 2010-08-24 14:35:48 +0400
    > message:
    >   Bug #55568: user variable assignments crash server when used
    >               within query
    >   
    >   The server could crash after materializing a derived table
    >   which requires a temporary table for grouping.
    >   
    >   When destroying the temporary table used to execute a query for
    >   a derived table, JOIN::destroy() did not clean up Item_fields
    >   pointing to fields in the temporary table. This led to
    >   dereferencing a dangling pointer when printing out the items
    >   tree later in the outer SELECT.
    >   
    >   The solution is an addendum to the patch for bug37362: in
    >   addition to cleaning up items in tmp_all_fields3, do the same
    >   for items in tmp_all_fields1, since now we have an example
    >   where this is necessary.
    
    
    sql/field.cc:
      Make sure field->table_name is not set to NULL in
      Field::make_field() to avoid assertion failure in 
      Item_field::make_field() after cleaning up items
      (the assertion fired in udf.test when running
      the test suite with the patch applied).
    sql/sql_select.cc:
      In addition to cleaning up items in tmp_all_fields3, do the
      same for items in tmp_all_fields1.
      Introduce a new helper function to avoid code duplication.
    sql/sql_select.h:
      Introduce a new helper function to avoid code duplication in
      JOIN::destroy().
    47bb750c
sql_select.cc 510 KB