MDEV-7821 Server crashes in Item_func_group_concat::fix_fields on 2nd execution of PS

Correct fix for this bug. The problem was that Item_func_group_concat() was calling setup_order(), passing args as the second argument, ref_pointer_array. While ref_pointer_array should have free space at the end, as setup_order() can append elements to it. In this particular case args[] elements were overwritten when setup_order() was pushing new elements into ref_pointer_array.
author: Sergei Golubchik <serg@mariadb.org> 2015-07-31 22:09:46 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2015-07-31 22:09:46 +0200
commit: 96badb16afcf8a6ae3d03918419fc51ace4be236 (patch)
tree: 86469f7d770524acbca2ac44e1300ae46296224a /sql/item_sum.h
parent: 409709ec7edc0dd6eb725e766f0d4c52192accfc (diff)
download: mariadb-git-96badb16afcf8a6ae3d03918419fc51ace4be236.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sql/item_sum.h b/sql/item_sum.h
index f074cc6c822..86093f5d4f5 100644
--- a/sql/item_sum.h
+++ b/sql/item_sum.h
@@ -1394,6 +1394,7 @@ class Item_func_group_concat : public Item_sum
   String *separator;
   TREE tree_base;
   TREE *tree;
+  Item **ref_pointer_array;
 
   /**
      If DISTINCT is used with this GROUP_CONCAT, this member is used to filter
author	Sergei Golubchik <serg@mariadb.org>	2015-07-31 22:09:46 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2015-07-31 22:09:46 +0200
commit	96badb16afcf8a6ae3d03918419fc51ace4be236 (patch)
tree	86469f7d770524acbca2ac44e1300ae46296224a /sql/item_sum.h
parent	409709ec7edc0dd6eb725e766f0d4c52192accfc (diff)
download	mariadb-git-96badb16afcf8a6ae3d03918419fc51ace4be236.tar.gz