MDEV-24560 SIGSEGV in st_join_table::cleanup

If JOIN::create_postjoin_aggr_table encounters errors during execution
then free_tmp_table() is then called twice for JOIN_TAB::aggr.
The solution is to initialize JOIN_TAB::aggr only on successful completion
of JOIN::create_postjoin_aggr_table

mysql-test/r/select.result

@@ -5548,4 +5548,31 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
 (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined))
 NULL
 drop table t1;
+#
+# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+# erroneous GROUP_CONCAT
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+ERROR 42S22: Unknown column '2' in 'order clause'
+DROP TABLE t1;
+#
+# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+# hang + cross-mysqld-interaction + double free or corruption (!prev)
+#
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+GROUP_CONCAT(c ORDER BY 2)
+NULL
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+GROUP_CONCAT(c ORDER BY 0)
+NULL
+DROP TABLE t1;
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+grp	GROUP_CONCAT(c ORDER BY 2)
+DROP TABLE t1;
 End of 10.0 tests

mysql-test/r/select_jcl6.result

@@ -5559,6 +5559,33 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
 (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined))
 NULL
 drop table t1;
+#
+# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+# erroneous GROUP_CONCAT
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+ERROR 42S22: Unknown column '2' in 'order clause'
+DROP TABLE t1;
+#
+# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+# hang + cross-mysqld-interaction + double free or corruption (!prev)
+#
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+GROUP_CONCAT(c ORDER BY 2)
+NULL
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+GROUP_CONCAT(c ORDER BY 0)
+NULL
+DROP TABLE t1;
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+grp	GROUP_CONCAT(c ORDER BY 2)
+DROP TABLE t1;
 End of 10.0 tests
 set join_cache_level=default;
 set @@optimizer_switch=@save_optimizer_switch_jcl6;

mysql-test/r/select_pkeycache.result

@@ -5548,4 +5548,31 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
 (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined))
 NULL
 drop table t1;
+#
+# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+# erroneous GROUP_CONCAT
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+ERROR 42S22: Unknown column '2' in 'order clause'
+DROP TABLE t1;
+#
+# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+# hang + cross-mysqld-interaction + double free or corruption (!prev)
+#
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+GROUP_CONCAT(c ORDER BY 2)
+NULL
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+GROUP_CONCAT(c ORDER BY 0)
+NULL
+DROP TABLE t1;
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+grp	GROUP_CONCAT(c ORDER BY 2)
+DROP TABLE t1;
 End of 10.0 tests

mysql-test/t/select.test

@@ -4670,4 +4670,32 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
 
 drop table t1;
 
+--echo #
+--echo # Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+--echo # erroneous GROUP_CONCAT
+--echo #
+
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+--error ER_BAD_FIELD_ERROR
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+
+DROP TABLE t1;
+
+--echo #
+--echo # Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+--echo # hang + cross-mysqld-interaction + double free or corruption (!prev)
+--echo #
+
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+DROP TABLE t1;
+
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+DROP TABLE t1;
+
 --echo End of 10.0 tests

sql/sql_select.cc

@@ -2989,14 +2989,11 @@ JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List<Item> *table_fields,
   tmp_table_param.using_outer_summary_function=
     tab->tmp_table_param->using_outer_summary_function;
   tab->join= this;
-  DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count || !tables_list);
+  DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count ||
+              !tables_list);
+  tab->table= table;
   if (tab > join_tab)
     (tab - 1)->next_select= sub_select_postjoin_aggr;
-  tab->aggr= new (thd->mem_root) AGGR_OP(tab);
-  if (!tab->aggr)
-    goto err;
-  tab->table= table;
-  table->reginfo.join_tab= tab;
 
   /* if group or order on first table, sort first */
   if ((group_list && simple_group) ||
@@ -3047,12 +3044,15 @@ JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List<Item> *table_fields,
       order= NULL;
     }
   }
-
+  if (!(tab->aggr= new (thd->mem_root) AGGR_OP(tab)))
+    goto err;
+  table->reginfo.join_tab= tab;
   DBUG_RETURN(false);
 
 err:
   if (table != NULL)
     free_tmp_table(thd, table);
+  tab->table= NULL;
   DBUG_RETURN(true);
 }