MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING

when resolving WHERE and ON clauses, do not look in
SELECT list/aliases.

5 files changed, 26 insertions, 6 deletions

diff --git a/mysql-test/main/having.result b/mysql-test/main/having.result
index 8800402dc35..b4ca607ec84 100644
--- a/mysql-test/main/having.result
+++ b/mysql-test/main/having.result
@@ -279,11 +279,7 @@ select t1.col1 as tmp_col from t1
 where t1.col2 in 
 (select t2.col2 from t2 
 group by t2.col1, t2.col2 having tmp_col <= 10);
-tmp_col
-10
-10
-10
-10
+ERROR 42S22: Unknown column 'tmp_col' in 'having clause'
 select t1.col1 from t1
 where t1.col2 in 
 (select t2.col2 from t2 
diff --git a/mysql-test/main/having.test b/mysql-test/main/having.test
index b3b128684a3..3f4e8a8e710 100644
--- a/mysql-test/main/having.test
+++ b/mysql-test/main/having.test
@@ -249,7 +249,8 @@ where t1.col2 in
        group by t2.col1, t2.col2 having t1.col1 <= 10);
 
 # the having column is resolved in the SELECT clause of the outer query -
-# error in ANSI, works with MySQL extension
+# error in ANSI
+--error ER_BAD_FIELD_ERROR
 select t1.col1 as tmp_col from t1
 where t1.col2 in 
       (select t2.col2 from t2 
diff --git a/mysql-test/main/subselect_innodb.result b/mysql-test/main/subselect_innodb.result
index ae22329f62a..467ed218198 100644
--- a/mysql-test/main/subselect_innodb.result
+++ b/mysql-test/main/subselect_innodb.result
@@ -667,5 +667,17 @@ execute stmt;
 a	b
 drop table t1,t2;
 #
+# MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
+#
+create table t1 (a text(60) not null) engine=innodb;
+insert into t1 values ('1'),('0');
+select distinct a from t1 where '' in (select 'x' like a having a like a);
+a
+1
+0
+Warnings:
+Warning	1292	Truncated incorrect DOUBLE value: ''
+drop table t1;
+#
 # End of 10.4 tests
 #
diff --git a/mysql-test/main/subselect_innodb.test b/mysql-test/main/subselect_innodb.test
index e767891c8db..8ff3a5acf7d 100644
--- a/mysql-test/main/subselect_innodb.test
+++ b/mysql-test/main/subselect_innodb.test
@@ -659,5 +659,13 @@ execute stmt;
 drop table t1,t2;
 
 --echo #
+--echo # MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
+--echo #
+create table t1 (a text(60) not null) engine=innodb;
+insert into t1 values ('1'),('0');
+select distinct a from t1 where '' in (select 'x' like a having a like a);
+drop table t1;
+
+--echo #
 --echo # End of 10.4 tests
 --echo #
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
index 14b97b43660..ef7a075e304 100644
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -8398,9 +8398,11 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
     thd->lex->which_check_option_applicable();
   bool save_is_item_list_lookup= select_lex->is_item_list_lookup;
   TABLE_LIST *derived= select_lex->master_unit()->derived;
+  bool save_resolve_in_select_list= select_lex->context.resolve_in_select_list;
   DBUG_ENTER("setup_conds");
 
   select_lex->is_item_list_lookup= 0;
+  select_lex->context.resolve_in_select_list= false;
 
   thd->column_usage= MARK_COLUMNS_READ;
   DBUG_PRINT("info", ("thd->column_usage: %d", thd->column_usage));
@@ -8453,6 +8455,7 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
     select_lex->where= *conds;
   }
   thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
+  select_lex->context.resolve_in_select_list= save_resolve_in_select_list;
   DBUG_RETURN(thd->is_error());
 
 err_no_arena: