MDEV-15057 Crash when using an unknown identifier as an SP parameter

It crashed because we accessed lex->current_select when it was a NULL, which is the case for SP parameters or local variables.
author: Monty <monty@mariadb.org> 2018-01-24 16:28:54 +0200
committer: Monty <monty@mariadb.org> 2018-01-24 16:38:47 +0200
commit: 0dbe3dbe7929c209614ab5803084c101b433299c (patch)
tree: 1e7258e9b3384dc427684f07810cbd29456ee03d /sql/item.cc
parent: c269f1d6feb2e5ac1aeef96fbd3a64d0085c2f7c (diff)
download: mariadb-git-0dbe3dbe7929c209614ab5803084c101b433299c.tar.gz
1 files changed, 21 insertions, 13 deletions
diff --git a/sql/item.cc b/sql/item.cc
index 72e24c8ec70..e0e015196e7 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -5132,7 +5132,7 @@ Item_field::fix_outer_field(THD *thd, Field **from_field, Item **reference)
   */
   Name_resolution_context *last_checked_context= context;
   Item **ref= (Item **) not_found_item;
-  SELECT_LEX *current_sel= (SELECT_LEX *) thd->lex->current_select;
+  SELECT_LEX *current_sel= thd->lex->current_select;
   Name_resolution_context *outer_context= 0;
   SELECT_LEX *select= 0;
   /* Currently derived tables cannot be correlated */
@@ -5465,6 +5465,7 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
   DBUG_ASSERT(fixed == 0);
   Field *from_field= (Field *)not_found_field;
   bool outer_fixed= false;
+  SELECT_LEX *select= thd->lex->current_select;
 
   if (!field)					// If field is not checked
   {
@@ -5486,13 +5487,14 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
 	not_found_field)
     {
       int ret;
+
       /* Look up in current select's item_list to find aliased fields */
-      if (thd->lex->current_select->is_item_list_lookup)
+      if (select && select->is_item_list_lookup)
       {
         uint counter;
         enum_resolution_type resolution;
         Item** res= find_item_in_list(this,
-                                      thd->lex->current_select->item_list,
+                                      select->item_list,
                                       &counter, REPORT_EXCEPT_NOT_FOUND,
                                       &resolution);
         if (!res)
@@ -5524,7 +5526,7 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
               We can not "move" aggregate function in the place where
               its arguments are not defined.
             */
-            set_max_sum_func_level(thd, thd->lex->current_select);
+            set_max_sum_func_level(thd, select);
             set_field(new_field);
             return 0;
           }
@@ -5544,7 +5546,6 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
             if (err)
               return TRUE;
            
-            SELECT_LEX *select= thd->lex->current_select;
             thd->change_item_tree(reference,
                                   select->context_analysis_place == IN_GROUP_BY && 
 				  alias_name_used  ?  *rf->ref : rf);
@@ -5553,11 +5554,17 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
               We can not "move" aggregate function in the place where
               its arguments are not defined.
             */
-            set_max_sum_func_level(thd, thd->lex->current_select);
+            set_max_sum_func_level(thd, select);
             return FALSE;
           }
         }
       }
+
+      if (!select)
+      {
+        my_error(ER_BAD_FIELD_ERROR, MYF(0), full_name(), thd->where);
+        goto error;
+      }
       if ((ret= fix_outer_field(thd, &from_field, reference)) < 0)
         goto error;
       outer_fixed= TRUE;
@@ -5586,9 +5593,9 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
 
     if (thd->lex->in_sum_func &&
         thd->lex->in_sum_func->nest_level == 
-        thd->lex->current_select->nest_level)
+        select->nest_level)
       set_if_bigger(thd->lex->in_sum_func->max_arg_level,
-                    thd->lex->current_select->nest_level);
+                    select->nest_level);
     /*
       if it is not expression from merged VIEW we will set this field.
 
@@ -5654,11 +5661,12 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
     fix_session_vcol_expr_for_read(thd, field, field->vcol_info);
   if (thd->variables.sql_mode & MODE_ONLY_FULL_GROUP_BY &&
       !outer_fixed && !thd->lex->in_sum_func &&
-      thd->lex->current_select->cur_pos_in_select_list != UNDEF_POS &&
-      thd->lex->current_select->join)
+      select &&
+      select->cur_pos_in_select_list != UNDEF_POS &&
+      select->join)
   {
-    thd->lex->current_select->join->non_agg_fields.push_back(this, thd->mem_root);
-    marker= thd->lex->current_select->cur_pos_in_select_list;
+    select->join->non_agg_fields.push_back(this, thd->mem_root);
+    marker= select->cur_pos_in_select_list;
   }
 mark_non_agg_field:
   /*
@@ -5695,7 +5703,7 @@ mark_non_agg_field:
       if (outer_fixed)
         thd->lex->in_sum_func->outer_fields.push_back(this, thd->mem_root);
       else if (thd->lex->in_sum_func->nest_level !=
-          thd->lex->current_select->nest_level)
+          select->nest_level)
         select_lex->set_non_agg_field_used(true);
     }
   }
author	Monty <monty@mariadb.org>	2018-01-24 16:28:54 +0200
committer	Monty <monty@mariadb.org>	2018-01-24 16:38:47 +0200
commit	0dbe3dbe7929c209614ab5803084c101b433299c (patch)
tree	1e7258e9b3384dc427684f07810cbd29456ee03d /sql/item.cc
parent	c269f1d6feb2e5ac1aeef96fbd3a64d0085c2f7c (diff)
download	mariadb-git-0dbe3dbe7929c209614ab5803084c101b433299c.tar.gz