summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOleg Smirnov <olernov@gmail.com>2022-03-11 21:18:34 +0700
committerOleg Smirnov <olernov@gmail.com>2022-04-06 15:12:07 +0300
commit85192553ae2c3cb5fb26ace4cd85377525ac7845 (patch)
tree227addca022a70e2b37eb70b42b1c2e43166c7b8
parent75b9014fedd8bb85d15501a2281fbade6b56fe78 (diff)
downloadmariadb-git-85192553ae2c3cb5fb26ace4cd85377525ac7845.tar.gz
MDEV-24560 SIGSEGV in st_join_table::cleanup
If JOIN::create_postjoin_aggr_table encounters errors during execution then free_tmp_table() is then called twice for JOIN_TAB::aggr. The solution is to initialize JOIN_TAB::aggr only on successful completion of JOIN::create_postjoin_aggr_table
-rw-r--r--mysql-test/r/select.result27
-rw-r--r--mysql-test/r/select_jcl6.result27
-rw-r--r--mysql-test/r/select_pkeycache.result27
-rw-r--r--mysql-test/t/select.test28
-rw-r--r--sql/sql_select.cc14
5 files changed, 116 insertions, 7 deletions
diff --git a/mysql-test/r/select.result b/mysql-test/r/select.result
index f4a6d17dc9c..2fef3361617 100644
--- a/mysql-test/r/select.result
+++ b/mysql-test/r/select.result
@@ -5548,4 +5548,31 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
(SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined))
NULL
drop table t1;
+#
+# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+# erroneous GROUP_CONCAT
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+ERROR 42S22: Unknown column '2' in 'order clause'
+DROP TABLE t1;
+#
+# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+# hang + cross-mysqld-interaction + double free or corruption (!prev)
+#
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+GROUP_CONCAT(c ORDER BY 2)
+NULL
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+GROUP_CONCAT(c ORDER BY 0)
+NULL
+DROP TABLE t1;
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+grp GROUP_CONCAT(c ORDER BY 2)
+DROP TABLE t1;
End of 10.0 tests
diff --git a/mysql-test/r/select_jcl6.result b/mysql-test/r/select_jcl6.result
index 63c0968dc73..9e35af9cb78 100644
--- a/mysql-test/r/select_jcl6.result
+++ b/mysql-test/r/select_jcl6.result
@@ -5559,6 +5559,33 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
(SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined))
NULL
drop table t1;
+#
+# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+# erroneous GROUP_CONCAT
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+ERROR 42S22: Unknown column '2' in 'order clause'
+DROP TABLE t1;
+#
+# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+# hang + cross-mysqld-interaction + double free or corruption (!prev)
+#
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+GROUP_CONCAT(c ORDER BY 2)
+NULL
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+GROUP_CONCAT(c ORDER BY 0)
+NULL
+DROP TABLE t1;
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+grp GROUP_CONCAT(c ORDER BY 2)
+DROP TABLE t1;
End of 10.0 tests
set join_cache_level=default;
set @@optimizer_switch=@save_optimizer_switch_jcl6;
diff --git a/mysql-test/r/select_pkeycache.result b/mysql-test/r/select_pkeycache.result
index f4a6d17dc9c..2fef3361617 100644
--- a/mysql-test/r/select_pkeycache.result
+++ b/mysql-test/r/select_pkeycache.result
@@ -5548,4 +5548,31 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
(SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined))
NULL
drop table t1;
+#
+# Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+# erroneous GROUP_CONCAT
+#
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+ERROR 42S22: Unknown column '2' in 'order clause'
+DROP TABLE t1;
+#
+# Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+# hang + cross-mysqld-interaction + double free or corruption (!prev)
+#
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+GROUP_CONCAT(c ORDER BY 2)
+NULL
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+GROUP_CONCAT(c ORDER BY 0)
+NULL
+DROP TABLE t1;
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+grp GROUP_CONCAT(c ORDER BY 2)
+DROP TABLE t1;
End of 10.0 tests
diff --git a/mysql-test/t/select.test b/mysql-test/t/select.test
index 2567d189465..ea213be9fea 100644
--- a/mysql-test/t/select.test
+++ b/mysql-test/t/select.test
@@ -4670,4 +4670,32 @@ select (SELECT name FROM t1 WHERE name='tom' AND pw=PASSWORD(@undefined));
drop table t1;
+--echo #
+--echo # Bug MDEV-24262 Server crashes in st_join_table::cleanup upon
+--echo # erroneous GROUP_CONCAT
+--echo #
+
+CREATE TABLE t1 (a INT, b INT);
+INSERT INTO t1 VALUES (1,10),(2,20);
+--error ER_BAD_FIELD_ERROR
+SELECT b, GROUP_CONCAT(b ORDER BY 2), MIN(a) AS f FROM t1 GROUP BY b ORDER BY f;
+
+DROP TABLE t1;
+
+--echo #
+--echo # Bug MDEV-24560 SIGSEGV in st_join_table::cleanup + server and client
+--echo # hang + cross-mysqld-interaction + double free or corruption (!prev)
+--echo #
+
+CREATE TABLE t1 (c INT);
+SET SESSION sql_buffer_result=1;
+SELECT GROUP_CONCAT(c ORDER BY 2) FROM t1;
+SELECT GROUP_CONCAT(c ORDER BY 0) FROM t1;
+DROP TABLE t1;
+
+CREATE TABLE t1 (grp INT,c CHAR);
+SET sql_buffer_result=1;
+SELECT grp,GROUP_CONCAT(c ORDER BY 2) FROM t1 GROUP BY grp;
+DROP TABLE t1;
+
--echo End of 10.0 tests
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 22d3597de16..8d2a4929401 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -2989,14 +2989,11 @@ JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List<Item> *table_fields,
tmp_table_param.using_outer_summary_function=
tab->tmp_table_param->using_outer_summary_function;
tab->join= this;
- DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count || !tables_list);
+ DBUG_ASSERT(tab > tab->join->join_tab || !top_join_tab_count ||
+ !tables_list);
+ tab->table= table;
if (tab > join_tab)
(tab - 1)->next_select= sub_select_postjoin_aggr;
- tab->aggr= new (thd->mem_root) AGGR_OP(tab);
- if (!tab->aggr)
- goto err;
- tab->table= table;
- table->reginfo.join_tab= tab;
/* if group or order on first table, sort first */
if ((group_list && simple_group) ||
@@ -3047,12 +3044,15 @@ JOIN::create_postjoin_aggr_table(JOIN_TAB *tab, List<Item> *table_fields,
order= NULL;
}
}
-
+ if (!(tab->aggr= new (thd->mem_root) AGGR_OP(tab)))
+ goto err;
+ table->reginfo.join_tab= tab;
DBUG_RETURN(false);
err:
if (table != NULL)
free_tmp_table(thd, table);
+ tab->table= NULL;
DBUG_RETURN(true);
}