MDEV-3810 fix.

  
The problem is that memory alocated by copy_andor_structure() well be freed,
but if level of SELECT_LEX it will be excluded (in case of merge derived tables and view)
then sl->where/having will not be updated here but still can be accessed (so it will be access to freed memory).

(patch by Sanja)

1 files changed, 12 insertions, 2 deletions

diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 9e8a6b941c6..d91d03d24ee 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -2447,14 +2447,24 @@ void reinit_stmt_before_use(THD *thd, LEX *lex)
       */
       if (sl->prep_where)
       {
-        sl->where= sl->prep_where->copy_andor_structure(thd);
+        /*
+          We need this rollback because memory allocated in
+          copy_andor_structure() will be freed
+        */
+        thd->change_item_tree((Item**)&sl->where,
+                              sl->prep_where->copy_andor_structure(thd));
         sl->where->cleanup();
       }
       else
         sl->where= NULL;
       if (sl->prep_having)
       {
-        sl->having= sl->prep_having->copy_andor_structure(thd);
+        /*
+          We need this rollback because memory allocated in
+          copy_andor_structure() will be freed
+        */
+        thd->change_item_tree((Item**)&sl->having,
+                              sl->prep_having->copy_andor_structure(thd));
         sl->having->cleanup();
       }
       else