From 2412c151916dc65660644a0cd2fe5f34816ea901 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Wed, 13 Jun 2018 11:56:56 +0400
Subject: MDEV-15870 Using aggregate and window function in unexpected places
 can crash the server

---
 sql/item_sum.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sql/item_sum.cc')

diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index 4cf11e81d3d..cb150db3031 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -68,14 +68,14 @@ size_t Item_sum::ram_limitation(THD *thd)
 bool Item_sum::init_sum_func_check(THD *thd)
 {
   SELECT_LEX *curr_sel= thd->lex->current_select;
-  if (!curr_sel->name_visibility_map)
+  if (curr_sel && !curr_sel->name_visibility_map)
   {
     for (SELECT_LEX *sl= curr_sel; sl; sl= sl->context.outer_select())
     {
       curr_sel->name_visibility_map|= (1 << sl-> nest_level);
     }
   }
-  if (!(thd->lex->allow_sum_func & curr_sel->name_visibility_map))
+  if (!curr_sel || !(thd->lex->allow_sum_func & curr_sel->name_visibility_map))
   {
     my_message(ER_INVALID_GROUP_FUNC_USE, ER_THD(thd, ER_INVALID_GROUP_FUNC_USE),
                MYF(0));
-- 
cgit v1.2.1


From 6b8802e8dd5467556a024d807a1df23940b00895 Mon Sep 17 00:00:00 2001
From: Oleksandr Byelkin <sanja@mariadb.com>
Date: Tue, 8 May 2018 15:26:26 +0200
Subject: MDEV-11071: Assertion `thd->transaction.stmt.is_empty()' failed in
 Locked_tables_list::unlock_locked_table

fix_length_and_dec now return result (error/OK)
---
 sql/item_sum.cc | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

(limited to 'sql/item_sum.cc')

diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index cb150db3031..9e59ec4e373 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -1132,9 +1132,8 @@ Item_sum_num::fix_fields(THD *thd, Item **ref)
   result_field=0;
   max_length=float_length(decimals);
   null_value=1;
-  fix_length_and_dec();
-
-  if (check_sum_func(thd, ref))
+  if (fix_length_and_dec() ||
+      check_sum_func(thd, ref))
     return TRUE;
 
   memcpy (orig_args, args, sizeof (Item *) * arg_count);
@@ -1189,9 +1188,8 @@ Item_sum_hybrid::fix_fields(THD *thd, Item **ref)
   maybe_null= 1;
   result_field=0;
   null_value=1;
-  fix_length_and_dec();
-
-  if (check_sum_func(thd, ref))
+  if (fix_length_and_dec() ||
+      check_sum_func(thd, ref))
     return TRUE;
 
   orig_args[0]= args[0];
@@ -1329,7 +1327,7 @@ void Item_sum_sum::clear()
 }
 
 
-void Item_sum_sum::fix_length_and_dec()
+bool Item_sum_sum::fix_length_and_dec()
 {
   DBUG_ENTER("Item_sum_sum::fix_length_and_dec");
   maybe_null=null_value=1;
@@ -1364,7 +1362,7 @@ void Item_sum_sum::fix_length_and_dec()
                        "--ILLEGAL!!!--"),
                       max_length,
                       (int)decimals));
-  DBUG_VOID_RETURN;
+  DBUG_RETURN(FALSE);
 }
 
 
@@ -1664,9 +1662,10 @@ void Item_sum_count::cleanup()
 /*
   Avgerage
 */
-void Item_sum_avg::fix_length_and_dec()
+bool Item_sum_avg::fix_length_and_dec()
 {
-  Item_sum_sum::fix_length_and_dec();
+  if (Item_sum_sum::fix_length_and_dec())
+    return TRUE;
   maybe_null=null_value=1;
   prec_increment= current_thd->variables.div_precincrement;
   if (Item_sum_avg::result_type() == DECIMAL_RESULT)
@@ -1686,6 +1685,7 @@ void Item_sum_avg::fix_length_and_dec()
                      FLOATING_POINT_DECIMALS);
     max_length= MY_MIN(args[0]->max_length + prec_increment, float_length(decimals));
   }
+  return FALSE;
 }
 
 
@@ -1884,7 +1884,7 @@ Item_sum_variance::Item_sum_variance(THD *thd, Item_sum_variance *item):
 }
 
 
-void Item_sum_variance::fix_length_and_dec()
+bool Item_sum_variance::fix_length_and_dec()
 {
   DBUG_ENTER("Item_sum_variance::fix_length_and_dec");
   maybe_null= null_value= 1;
@@ -1919,7 +1919,7 @@ void Item_sum_variance::fix_length_and_dec()
     DBUG_ASSERT(0);
   }
   DBUG_PRINT("info", ("Type: REAL_RESULT (%d, %d)", max_length, (int)decimals));
-  DBUG_VOID_RETURN;
+  DBUG_RETURN(FALSE);
 }
 
 
@@ -2989,13 +2989,13 @@ my_decimal *Item_sum_udf_int::val_decimal(my_decimal *dec)
 
 /** Default max_length is max argument length. */
 
-void Item_sum_udf_str::fix_length_and_dec()
+bool Item_sum_udf_str::fix_length_and_dec()
 {
   DBUG_ENTER("Item_sum_udf_str::fix_length_and_dec");
   max_length=0;
   for (uint i = 0; i < arg_count; i++)
     set_if_bigger(max_length,args[i]->max_length);
-  DBUG_VOID_RETURN;
+  DBUG_RETURN(FALSE);
 }
 
 
-- 
cgit v1.2.1