Bug #44886: SIGSEGV in test_if_skip_sort_order() -

            uninitialized variable used as subscript

Grouping select from a "constant" InnoDB table (a table
of a single row) joined with other tables caused a crash.


mysql-test/r/innodb_mysql.result:
  Added test case for bug bug #44886.
mysql-test/t/innodb_mysql.test:
  Added test case for bug bug #44886.
sql/sql_select.cc:
  Bug #44886: SIGSEGV in test_if_skip_sort_order() -
              uninitialized variable used as subscript
  
  1. The test_if_order_by_key function returned unitialized
     used_key_parts parameter in case of a "constant" InnoDB
     table. Calling function uses this parameter values as
     an array index, thus sometimes it caused a crash.
     The test_if_order_by_key function has been modified
     to set used_key_parts to 0 (no need for ordering).
  
  2. The test_if_skip_sort_order function has been
     modified to accept zero used_key_parts value and
     to prevent an array access by negative index.

1 files changed, 5 insertions, 1 deletions

diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 06776f5f7b3..526b926d66d 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -12658,7 +12658,10 @@ static int test_if_order_by_key(ORDER *order, TABLE *table, uint idx,
          one row).  The sorting doesn't matter.
         */
         if (key_part == key_part_end && reverse == 0)
+        {
+          *used_key_parts= 0;
           DBUG_RETURN(1);
+        }
       }
       else
         DBUG_RETURN(0);
@@ -13155,7 +13158,8 @@ test_if_skip_sort_order(JOIN_TAB *tab,ORDER *order,ha_rows select_limit,
             select_limit= table_records;
           if (group)
           {
-            rec_per_key= keyinfo->rec_per_key[used_key_parts-1];
+            rec_per_key= used_key_parts ? keyinfo->rec_per_key[used_key_parts-1]
+                                        : 1;
             set_if_bigger(rec_per_key, 1);
             /*
               With a grouping query each group containing on average