diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2019-04-27 19:38:39 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2019-04-27 19:38:39 +0200 |
| commit | d88dfd873232dafd480c2d0382b4ff3add9c936d (patch) | |
| tree | e3d4627d79ca499d3c626e48f8c9f802004a9a4d | |
| parent | 3fe38574fbddd0594ac8ad8da10049a47cca6879 (diff) | |
| download | mariadb-git-d88dfd873232dafd480c2d0382b4ff3add9c936d.tar.gz | |
MDEV-19350 Server crashes in delete_tree_element / ... / Item_func_group_concat::repack_tree
Item_func_group_concat stores values in `tree`, which is often, but not
always the same as `&tree_base`.
| -rw-r--r-- | mysql-test/r/func_gconcat.result | 19 | ||||
| -rw-r--r-- | mysql-test/t/func_gconcat.test | 19 | ||||
| -rw-r--r-- | sql/item_sum.cc | 4 |
3 files changed, 40 insertions, 2 deletions
diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result index 577381aa4ae..2147040ddb5 100644 --- a/mysql-test/r/func_gconcat.result +++ b/mysql-test/r/func_gconcat.result @@ -1207,3 +1207,22 @@ c Warnings: Warning 1260 Row 15 was cut by GROUP_CONCAT() set max_session_mem_used=default; +SET group_concat_max_len= 8; +CREATE TABLE t1 (a INT); +INSERT t1 VALUES (1),(2); +CREATE TABLE t2 (b DATE, c INT); +INSERT t2 VALUES ('2019-12-04',1),('2020-03-28',2); +CREATE TABLE t3 (d INT); +INSERT t3 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14); +CREATE TABLE t4 (e INT); +INSERT t4 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15); +SELECT (SELECT MAX(a) FROM t1 WHERE t2_sq.c > 0) AS f, +GROUP_CONCAT(t2_sq.b ORDER BY 1) AS gc +FROM (SELECT t2_a.* FROM t2 AS t2_a, t2 AS t2_b) AS t2_sq, t3, t4 +GROUP BY f; +f gc +2 2019-12- +Warnings: +Warning 1260 Row 1 was cut by GROUP_CONCAT() +DROP TABLE t1, t2, t3, t4; +SET group_concat_max_len= default; diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test index 067c9a8af62..57da0f3c6fc 100644 --- a/mysql-test/t/func_gconcat.test +++ b/mysql-test/t/func_gconcat.test @@ -879,3 +879,22 @@ set max_session_mem_used=16*1024*1024; # 8M..32M SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c FROM seq_1_to_200000; set max_session_mem_used=default; + +# +# MDEV-19350 Server crashes in delete_tree_element / ... / Item_func_group_concat::repack_tree +# +SET group_concat_max_len= 8; +CREATE TABLE t1 (a INT); +INSERT t1 VALUES (1),(2); +CREATE TABLE t2 (b DATE, c INT); +INSERT t2 VALUES ('2019-12-04',1),('2020-03-28',2); +CREATE TABLE t3 (d INT); +INSERT t3 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14); +CREATE TABLE t4 (e INT); +INSERT t4 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15); +SELECT (SELECT MAX(a) FROM t1 WHERE t2_sq.c > 0) AS f, + GROUP_CONCAT(t2_sq.b ORDER BY 1) AS gc +FROM (SELECT t2_a.* FROM t2 AS t2_a, t2 AS t2_b) AS t2_sq, t3, t4 +GROUP BY f; +DROP TABLE t1, t2, t3, t4; +SET group_concat_max_len= default; diff --git a/sql/item_sum.cc b/sql/item_sum.cc index 281b3af5a4d..71f07706d22 100644 --- a/sql/item_sum.cc +++ b/sql/item_sum.cc @@ -3345,8 +3345,8 @@ bool Item_func_group_concat::repack_tree(THD *thd) delete_tree(&st.tree); return 1; } - delete_tree(&tree_base); - tree_base= st.tree; + delete_tree(tree); + *tree= st.tree; tree_len= st.len; return 0; } |