MDEV-28206: SIGSEGV in Item_field::fix_fields when using LEAD...OVER

thd->lex->in_sum_func->max_arg_level cannot be set to a
bigger value of select->nest_level if select is null.

4 files changed, 77 insertions, 0 deletions

diff --git a/mysql-test/main/win.result b/mysql-test/main/win.result
index 0874e5b9a24..3e130c9653e 100644
--- a/mysql-test/main/win.result
+++ b/mysql-test/main/win.result
@@ -4352,3 +4352,27 @@ row_number() OVER (order by a)
 2
 3
 drop table t1;
+#
+# MDEV-28206 SIGSEGV in Item_field::fix_fields when using LEAD...OVER
+#
+CREATE TABLE t(c1 INT);
+CREATE FUNCTION f() RETURNS INT READS SQL DATA BEGIN
+DECLARE v INT;
+SELECT 1 INTO v FROM (SELECT c1,COALESCE(LEAD(a2.c1) OVER (PARTITION BY a2.c1 ORDER BY a2.c1),a2.c1) AS a1 FROM (t a2 JOIN t a3 USING (c1))) a4;
+RETURN 1;
+END//
+SELECT f(),f();
+f()	f()
+1	1
+EXECUTE IMMEDIATE "SELECT LEAD(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;";
+LEAD(c1) OVER (ORDER BY c1)
+EXECUTE IMMEDIATE "SELECT SUM(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;";
+SUM(c1) OVER (ORDER BY c1)
+EXECUTE IMMEDIATE "SELECT LEAD(c) OVER (ORDER BY c) FROM (SELECT 1 AS c) AS a NATURAL JOIN (SELECT 1 AS c) AS b;";
+LEAD(c) OVER (ORDER BY c)
+NULL
+DROP FUNCTION f;
+DROP TABLE t;
+#
+# End of 10.6 tests
+#
diff --git a/mysql-test/main/win.test b/mysql-test/main/win.test
index 5a216123369..d7f52ec32e9 100644
--- a/mysql-test/main/win.test
+++ b/mysql-test/main/win.test
@@ -2829,3 +2829,31 @@ create table t1 (a int);
 insert into t1 values (1),(2),(3);
 SELECT  row_number() OVER (order by a) FROM t1  order by NAME_CONST('myname',NULL);
 drop table t1;
+
+--echo #
+--echo # MDEV-28206 SIGSEGV in Item_field::fix_fields when using LEAD...OVER
+--echo #
+
+CREATE TABLE t(c1 INT);
+
+DELIMITER //;
+CREATE FUNCTION f() RETURNS INT READS SQL DATA BEGIN
+  DECLARE v INT;
+  SELECT 1 INTO v FROM (SELECT c1,COALESCE(LEAD(a2.c1) OVER (PARTITION BY a2.c1 ORDER BY a2.c1),a2.c1) AS a1 FROM (t a2 JOIN t a3 USING (c1))) a4;
+  RETURN 1;
+END//
+DELIMITER ;//
+
+SELECT f(),f();
+
+EXECUTE IMMEDIATE "SELECT LEAD(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;";
+EXECUTE IMMEDIATE "SELECT SUM(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;";
+
+EXECUTE IMMEDIATE "SELECT LEAD(c) OVER (ORDER BY c) FROM (SELECT 1 AS c) AS a NATURAL JOIN (SELECT 1 AS c) AS b;";
+
+DROP FUNCTION f;
+DROP TABLE t;
+
+--echo #
+--echo # End of 10.6 tests
+--echo #
diff --git a/mysql-test/suite/encryption/r/tempfiles_encrypted.result b/mysql-test/suite/encryption/r/tempfiles_encrypted.result
index fb4738a1fed..2b91cd638e2 100644
--- a/mysql-test/suite/encryption/r/tempfiles_encrypted.result
+++ b/mysql-test/suite/encryption/r/tempfiles_encrypted.result
@@ -4359,6 +4359,30 @@ row_number() OVER (order by a)
 3
 drop table t1;
 #
+# MDEV-28206 SIGSEGV in Item_field::fix_fields when using LEAD...OVER
+#
+CREATE TABLE t(c1 INT);
+CREATE FUNCTION f() RETURNS INT READS SQL DATA BEGIN
+DECLARE v INT;
+SELECT 1 INTO v FROM (SELECT c1,COALESCE(LEAD(a2.c1) OVER (PARTITION BY a2.c1 ORDER BY a2.c1),a2.c1) AS a1 FROM (t a2 JOIN t a3 USING (c1))) a4;
+RETURN 1;
+END//
+SELECT f(),f();
+f()	f()
+1	1
+EXECUTE IMMEDIATE "SELECT LEAD(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;";
+LEAD(c1) OVER (ORDER BY c1)
+EXECUTE IMMEDIATE "SELECT SUM(c1) OVER (ORDER BY c1) FROM t NATURAL JOIN t AS a;";
+SUM(c1) OVER (ORDER BY c1)
+EXECUTE IMMEDIATE "SELECT LEAD(c) OVER (ORDER BY c) FROM (SELECT 1 AS c) AS a NATURAL JOIN (SELECT 1 AS c) AS b;";
+LEAD(c) OVER (ORDER BY c)
+NULL
+DROP FUNCTION f;
+DROP TABLE t;
+#
+# End of 10.6 tests
+#
+#
 # MDEV-23867: select crash in compute_window_func
 #
 set @save_sort_buffer_size=@@sort_buffer_size;
diff --git a/sql/item.cc b/sql/item.cc
index 91bc175ca13..a63ac1f1119 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -6114,6 +6114,7 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
 
     if (!thd->lex->current_select->no_wrap_view_item &&
         thd->lex->in_sum_func &&
+        select &&
         thd->lex == select->parent_lex &&
         thd->lex->in_sum_func->nest_level == 
         select->nest_level)