Commit 3b5c9697 authored by Sergey Glukhov's avatar Sergey Glukhov

Bug#16075310 SERVER CRASH OR VALGRIND ERRORS IN ITEM_FUNC_GROUP_CONCAT::SETUP AND ::ADD

Item_func_group_concat::copy_or_same() creates a copy of original object.
It also creates a copy of ORDER structure because ORDER struct elements may
be modified in find_order_in_list() called from Item_func_group_concat::setup().
As ORDER copy is created using memcpy, ORDER::next elements point to original
ORDER structs. Thus find_order_in_list() called from EXECUTE stmt modifies
ordinal ORDER item pointers so they point to runtime items, these items are
freed after execution, so original ORDER structure becomes invalid.
The fix is to properly update ORDER::next fields so that they point to
new ORDER elements.



sql/item_sum.cc:
  update ORDER::next fields so that they point to new ORDER elements.
parent 134cfa1c
...@@ -3041,7 +3041,14 @@ Item_func_group_concat::Item_func_group_concat(THD *thd, ...@@ -3041,7 +3041,14 @@ Item_func_group_concat::Item_func_group_concat(THD *thd,
tmp= (ORDER *)(order + arg_count_order); tmp= (ORDER *)(order + arg_count_order);
for (uint i= 0; i < arg_count_order; i++, tmp++) for (uint i= 0; i < arg_count_order; i++, tmp++)
{ {
memcpy(tmp, item->order[i], sizeof(ORDER)); /*
Compiler generated copy constructor is used to
to copy all the members of ORDER struct.
It's also necessary to update ORDER::next pointer
so that it points to new ORDER element.
*/
new (tmp) st_order(*(item->order[i]));
tmp->next= (i + 1 == arg_count_order) ? NULL : (tmp + 1);
order[i]= tmp; order[i]= tmp;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment