From 08763096cb8e8b1497d33a0bf29babfa67f6817a Mon Sep 17 00:00:00 2001 From: Chaithra Gopalareddy Date: Thu, 26 Feb 2015 09:59:00 +0530 Subject: Bug #19814337 - SERVER CRASHES IN ITEM_FUNC_GROUP_CONCAT::FIX_FIELDS ON 3RD EXECUTION OF PS Problem: When order by is by a column number for a group concat function which has an outer reference, server fails in case of prepared statements on the third execution Analysis: When a group concat function has order by, the fields in order by are not resolved until execution if the input is a column number. During execution they get resolved after the temp table gets created. As a result they will be pointing to temp table fields which are runtime created objects. This results in dangling pointers leading to server failure. Solution: Reset the pointers for the order by fields to point to the original arguments after execution as they are invalid. Done in Item_func_group_concat::cleanup. --- sql/item_sum.cc | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'sql/item_sum.cc') diff --git a/sql/item_sum.cc b/sql/item_sum.cc index c9ef2505d3d..f491795c449 100644 --- a/sql/item_sum.cc +++ b/sql/item_sum.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. rights reserved. This program is free software; you can redistribute it and/or modify @@ -3174,6 +3174,19 @@ void Item_func_group_concat::cleanup() } DBUG_ASSERT(tree == 0); } + /* + As the ORDER structures pointed to by the elements of the + 'order' array may be modified in find_order_in_list() called + from Item_func_group_concat::setup() to point to runtime + created objects, we need to reset them back to the original + arguments of the function. + */ + ORDER **order_ptr= order; + for (uint i= 0; i < arg_count_order; i++) + { + (*order_ptr)->item= &args[arg_count_field + i]; + order_ptr++; + } DBUG_VOID_RETURN; } -- cgit v1.2.1