From f2225cab27a2cfae4e18190159d95b9f6c5e10c7 Mon Sep 17 00:00:00 2001
From: "igor@rurik.mysql.com" <>
Date: Wed, 20 Sep 2006 08:08:57 -0700
Subject: Fixed bug #22015: crash with GROUP_CONCAT over a derived table that
 returns the results of aggregation by GROUP_CONCAT. The crash was due to an
 overflow happened for the field sortoder->length. The fix prevents this
 overflow exploiting the fact that the value of sortoder->length cannot be
 greater than the value of thd->variables.max_sort_length.

---
 mysql-test/r/func_gconcat.result |  9 +++++++++
 mysql-test/t/func_gconcat.test   | 15 +++++++++++++++
 sql/filesort.cc                  |  1 +
 3 files changed, 25 insertions(+)

diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result
index 6617ccc671e..93925670d01 100644
--- a/mysql-test/r/func_gconcat.result
+++ b/mysql-test/r/func_gconcat.result
@@ -654,3 +654,12 @@ CHAR_LENGTH( GROUP_CONCAT(b) )
 240001
 SET GROUP_CONCAT_MAX_LEN = 1024;
 DROP TABLE t1;
+CREATE TABLE t1 (a int, b int);
+INSERT INTO t1 VALUES (2,1), (1,2), (2,2), (1,3);
+SELECT GROUP_CONCAT(a), x 
+FROM (SELECT a, GROUP_CONCAT(b) x FROM t1 GROUP BY a) AS s
+GROUP BY x;
+GROUP_CONCAT(a)	x
+2	1,2
+1	2,3
+DROP TABLE t1;
diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test
index 98c21986aa9..b5c468e1638 100644
--- a/mysql-test/t/func_gconcat.test
+++ b/mysql-test/t/func_gconcat.test
@@ -447,3 +447,18 @@ SELECT a, CHAR_LENGTH(b) FROM t1;
 SELECT CHAR_LENGTH( GROUP_CONCAT(b) ) FROM t1;
 SET GROUP_CONCAT_MAX_LEN = 1024;
 DROP TABLE t1;
+
+#
+# Bug #22015: crash with GROUP_CONCAT over a derived table that 
+#             returns the results of aggregation by GROUP_CONCAT  
+#
+
+CREATE TABLE t1 (a int, b int);
+
+INSERT INTO t1 VALUES (2,1), (1,2), (2,2), (1,3);
+
+SELECT GROUP_CONCAT(a), x 
+  FROM (SELECT a, GROUP_CONCAT(b) x FROM t1 GROUP BY a) AS s
+    GROUP BY x;
+
+DROP TABLE t1;
diff --git a/sql/filesort.cc b/sql/filesort.cc
index 42d25dbbaee..f13354d5c72 100644
--- a/sql/filesort.cc
+++ b/sql/filesort.cc
@@ -1268,6 +1268,7 @@ sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
       switch ((sortorder->result_type=sortorder->item->result_type())) {
       case STRING_RESULT:
 	sortorder->length=sortorder->item->max_length;
+        set_if_smaller(sortorder->length, thd->variables.max_sort_length);
 	if (use_strnxfrm((cs=sortorder->item->collation.collation)))
 	{ 
           sortorder->length= cs->coll->strnxfrmlen(cs, sortorder->length);
-- 
cgit v1.2.1