MDEV-15870 Using aggregate and window function in unexpected places can crash the server

2412c151 · Alexander Barkov · ae0aefb1 · 2412c151 · 2412c151 · 2412c151
Commit 2412c151 authored Jun 13, 2018 by Alexander Barkov
Showing with 30 additions and 5 deletions

mysql-test/r/sp.result mysql-test/r/sp.result +11 -0

mysql-test/t/sp.test mysql-test/t/sp.test +14 -0

sql/item_sum.cc sql/item_sum.cc +2 -2

sql/item_windowfunc.cc sql/item_windowfunc.cc +3 -3

No files found.
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@@ -8354,3 +8354,14 @@ drop procedure p3;
 CREATE PROCEDURE foo ( IN i INT UNSIGNED ) BEGIN END;
 CALL foo( LAST_INSERT_ID() );
 DROP PROCEDURE foo;
+#
+# MDEV-15870 Using aggregate and window function in unexpected places can crash the server
+#
+CREATE PROCEDURE p1 (a TEXT) BEGIN END;
+CALL p1(RANK() OVER (ORDER BY 1));
+ERROR HY000: Window function is allowed only in SELECT list and ORDER BY clause
+CALL p1(ROW_NUMBER() OVER ());
+ERROR HY000: Window function is allowed only in SELECT list and ORDER BY clause
+CALL p1(SUM(1));
+ERROR HY000: Invalid use of group function
+DROP PROCEDURE p1;
--- a/mysql-test/t/sp.test
+++ b/mysql-test/t/sp.test
@@ -9865,3 +9865,17 @@ drop procedure p3;
 CREATE PROCEDURE foo ( IN i INT UNSIGNED ) BEGIN END;
 CALL foo( LAST_INSERT_ID() );
 DROP PROCEDURE foo;
+--echo #
+--echo # MDEV-15870 Using aggregate and window function in unexpected places can crash the server
+--echo #
+CREATE PROCEDURE p1 (a TEXT) BEGIN END;
+--error ER_WRONG_PLACEMENT_OF_WINDOW_FUNCTION
+CALL p1(RANK() OVER (ORDER BY 1));
+--error ER_WRONG_PLACEMENT_OF_WINDOW_FUNCTION
+CALL p1(ROW_NUMBER() OVER ());
+--error ER_INVALID_GROUP_FUNC_USE
+CALL p1(SUM(1));
+DROP PROCEDURE p1;
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -68,14 +68,14 @@ size_t Item_sum::ram_limitation(THD *thd)
 bool Item_sum::init_sum_func_check(THD *thd)
 {
  SELECT_LEX *curr_sel= thd->lex->current_select;
-  if (!curr_sel->name_visibility_map)
+  if (curr_sel && !curr_sel->name_visibility_map)
  {
    for (SELECT_LEX *sl= curr_sel; sl; sl= sl->context.outer_select())
    {
      curr_sel->name_visibility_map|= (1 << sl-> nest_level);
    }
  }
-  if (!(thd->lex->allow_sum_func & curr_sel->name_visibility_map))
+  if (!curr_sel || !(thd->lex->allow_sum_func & curr_sel->name_visibility_map))
  {
    my_message(ER_INVALID_GROUP_FUNC_USE, ER_THD(thd, ER_INVALID_GROUP_FUNC_USE),
               MYF(0));

--- a/sql/item_windowfunc.cc
+++ b/sql/item_windowfunc.cc
@@ -71,9 +71,9 @@ Item_window_func::fix_fields(THD *thd, Item **ref)
 {
  DBUG_ASSERT(fixed == 0);
-  enum_parsing_place place= thd->lex->current_select->context_analysis_place;
+  if (!thd->lex->current_select ||
+      (thd->lex->current_select->context_analysis_place != SELECT_LIST &&
-  if (!(place == SELECT_LIST || place == IN_ORDER_BY))
+       thd->lex->current_select->context_analysis_place != IN_ORDER_BY))
  {
    my_error(ER_WRONG_PLACEMENT_OF_WINDOW_FUNCTION, MYF(0));
    return true;