diff options
author | Oleg Smirnov <olernov@gmail.com> | 2022-03-11 21:18:34 +0700 |
---|---|---|
committer | Oleg Smirnov <olernov@gmail.com> | 2022-04-06 15:12:07 +0300 |
commit | 85192553ae2c3cb5fb26ace4cd85377525ac7845 (patch) | |
tree | 227addca022a70e2b37eb70b42b1c2e43166c7b8 | |
parent | 75b9014fedd8bb85d15501a2281fbade6b56fe78 (diff) | |
download | mariadb-git-85192553ae2c3cb5fb26ace4cd85377525ac7845.tar.gz |
MDEV-24560 SIGSEGV in st_join_table::cleanup
If JOIN::create_postjoin_aggr_table encounters errors during execution
then free_tmp_table() is then called twice for JOIN_TAB::aggr.
The solution is to initialize JOIN_TAB::aggr only on successful completion
of JOIN::create_postjoin_aggr_table
-rw-r--r-- | mysql-test/r/select.result | 27 | ||||
-rw-r--r-- | mysql-test/r/select_jcl6.result | 27 | ||||
-rw-r--r-- | mysql-test/r/select_pkeycache.result | 27 | ||||
-rw-r--r-- | mysql-test/t/select.test | 28 | ||||
-rw-r--r-- | sql/sql_select.cc | 14 |
5 files changed, 116 insertions, 7 deletions
diff --git a/mysql-test/r/select.result b/mysql-test/r/select.result index f4a6d17dc9c..2fef3361617 100644 --- a/mysql-test/r/select.result +++ b/mysql-test/r/select.result @@ -5548,4 +5548,31 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)); (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)) NULL drop table t1; +# +# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon +# erroneous GROUP_CONCAT +# +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,10),(2,20); +SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f; +ERROR 42S22: Unknown column '2' in 'order clause' +DROP TABLE t1; +# +# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client +# hang + cross-mysqld-interaction + double free or corruption (!prev) +# +CREATE TABLE t1 (c INT); +SET SESSION sql_buffer_result=1; +SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1; +GROUP_CONCAT(c ORDER BY 2) +NULL +SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1; +GROUP_CONCAT(c ORDER BY 0) +NULL +DROP TABLE t1; +CREATE TABLE t1 (grp INT,c CHAR); +SET sql_buffer_result=1; +SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp; +grp GROUP_CONCAT(c ORDER BY 2) +DROP TABLE t1; End of 10.0 tests diff --git a/mysql-test/r/select_jcl6.result b/mysql-test/r/select_jcl6.result index 63c0968dc73..9e35af9cb78 100644 --- a/mysql-test/r/select_jcl6.result +++ b/mysql-test/r/select_jcl6.result @@ -5559,6 +5559,33 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)); (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)) NULL drop table t1; +# +# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon +# erroneous GROUP_CONCAT +# +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,10),(2,20); +SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f; +ERROR 42S22: Unknown column '2' in 'order clause' +DROP TABLE t1; +# +# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client +# hang + cross-mysqld-interaction + double free or corruption (!prev) +# +CREATE TABLE t1 (c INT); +SET SESSION sql_buffer_result=1; +SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1; +GROUP_CONCAT(c ORDER BY 2) +NULL +SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1; +GROUP_CONCAT(c ORDER BY 0) +NULL +DROP TABLE t1; +CREATE TABLE t1 (grp INT,c CHAR); +SET sql_buffer_result=1; +SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp; +grp GROUP_CONCAT(c ORDER BY 2) +DROP TABLE t1; End of 10.0 tests set join_cache_level=default; set @@optimizer_switch=@save_optimizer_switch_jcl6; diff --git a/mysql-test/r/select_pkeycache.result b/mysql-test/r/select_pkeycache.result index f4a6d17dc9c..2fef3361617 100644 --- a/mysql-test/r/select_pkeycache.result +++ b/mysql-test/r/select_pkeycache.result @@ -5548,4 +5548,31 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)); (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)) NULL drop table t1; +# +# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon +# erroneous GROUP_CONCAT +# +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,10),(2,20); +SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f; +ERROR 42S22: Unknown column '2' in 'order clause' +DROP TABLE t1; +# +# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client +# hang + cross-mysqld-interaction + double free or corruption (!prev) +# +CREATE TABLE t1 (c INT); +SET SESSION sql_buffer_result=1; +SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1; +GROUP_CONCAT(c ORDER BY 2) +NULL +SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1; +GROUP_CONCAT(c ORDER BY 0) +NULL +DROP TABLE t1; +CREATE TABLE t1 (grp INT,c CHAR); +SET sql_buffer_result=1; +SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp; +grp GROUP_CONCAT(c ORDER BY 2) +DROP TABLE t1; End of 10.0 tests diff --git a/mysql-test/t/select.test b/mysql-test/t/select.test index 2567d189465..ea213be9fea 100644 --- a/mysql-test/t/select.test +++ b/mysql-test/t/select.test @@ -4670,4 +4670,32 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined)); drop table t1; +--echo # +--echo # Bug MDEV-24262 Server crashes in st_join_table::cleanup upon +--echo # erroneous GROUP_CONCAT +--echo # + +CREATE TABLE t1 (a INT, b INT); +INSERT INTO t1 VALUES (1,10),(2,20); +--error ER_BAD_FIELD_ERROR +SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f; + +DROP TABLE t1; + +--echo # +--echo # Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client +--echo # hang + cross-mysqld-interaction + double free or corruption (!prev) +--echo # + +CREATE TABLE t1 (c INT); +SET SESSION sql_buffer_result=1; +SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1; +SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1; +DROP TABLE t1; + +CREATE TABLE t1 (grp INT,c CHAR); +SET sql_buffer_result=1; +SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp; +DROP TABLE t1; + --echo End of 10.0 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 22d3597de16..8d2a4929401 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -2989,14 +2989,11 @@ JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List<Item> *table_fields, tmp_table_param.using_outer_summary_function= tab->tmp_table_param->using_outer_summary_function; tab->join= this; - DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count || !tables_list); + DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count || + !tables_list); + tab->table= table; if (tab > join_tab) (tab - 1)->next_select= sub_select_postjoin_aggr; - tab->aggr= new (thd->mem_root) AGGR_OP(tab); - if (!tab->aggr) - goto err; - tab->table= table; - table->reginfo.join_tab= tab; /* if group or order on first table, sort first */ if ((group_list && simple_group) || @@ -3047,12 +3044,15 @@ JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List<Item> *table_fields, order= NULL; } } - + if (!(tab->aggr= new (thd->mem_root) AGGR_OP(tab))) + goto err; + table->reginfo.join_tab= tab; DBUG_RETURN(false); err: if (table != NULL) free_tmp_table(thd, table); + tab->table= NULL; DBUG_RETURN(true); } |