From 2412c151916dc65660644a0cd2fe5f34816ea901 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Wed, 13 Jun 2018 11:56:56 +0400
Subject: MDEV-15870 Using aggregate and window function in unexpected places
can crash the server
---
sql/item_sum.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
(limited to 'sql/item_sum.cc')
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index 4cf11e81d3d..cb150db3031 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -68,14 +68,14 @@ size_t Item_sum::ram_limitation(THD *thd)
bool Item_sum::init_sum_func_check(THD *thd)
{
SELECT_LEX *curr_sel= thd->lex->current_select;
- if (!curr_sel->name_visibility_map)
+ if (curr_sel && !curr_sel->name_visibility_map)
{
for (SELECT_LEX *sl= curr_sel; sl; sl= sl->context.outer_select())
{
curr_sel->name_visibility_map|= (1 << sl-> nest_level);
}
}
- if (!(thd->lex->allow_sum_func & curr_sel->name_visibility_map))
+ if (!curr_sel || !(thd->lex->allow_sum_func & curr_sel->name_visibility_map))
{
my_message(ER_INVALID_GROUP_FUNC_USE, ER_THD(thd, ER_INVALID_GROUP_FUNC_USE),
MYF(0));
--
cgit v1.2.1
From 6b8802e8dd5467556a024d807a1df23940b00895 Mon Sep 17 00:00:00 2001
From: Oleksandr Byelkin <sanja@mariadb.com>
Date: Tue, 8 May 2018 15:26:26 +0200
Subject: MDEV-11071: Assertion `thd->transaction.stmt.is_empty()' failed in
Locked_tables_list::unlock_locked_table
fix_length_and_dec now return result (error/OK)
---
sql/item_sum.cc | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
(limited to 'sql/item_sum.cc')
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index cb150db3031..9e59ec4e373 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -1132,9 +1132,8 @@ Item_sum_num::fix_fields(THD *thd, Item **ref)
result_field=0;
max_length=float_length(decimals);
null_value=1;
- fix_length_and_dec();
-
- if (check_sum_func(thd, ref))
+ if (fix_length_and_dec() ||
+ check_sum_func(thd, ref))
return TRUE;
memcpy (orig_args, args, sizeof (Item *) * arg_count);
@@ -1189,9 +1188,8 @@ Item_sum_hybrid::fix_fields(THD *thd, Item **ref)
maybe_null= 1;
result_field=0;
null_value=1;
- fix_length_and_dec();
-
- if (check_sum_func(thd, ref))
+ if (fix_length_and_dec() ||
+ check_sum_func(thd, ref))
return TRUE;
orig_args[0]= args[0];
@@ -1329,7 +1327,7 @@ void Item_sum_sum::clear()
}
-void Item_sum_sum::fix_length_and_dec()
+bool Item_sum_sum::fix_length_and_dec()
{
DBUG_ENTER("Item_sum_sum::fix_length_and_dec");
maybe_null=null_value=1;
@@ -1364,7 +1362,7 @@ void Item_sum_sum::fix_length_and_dec()
"--ILLEGAL!!!--"),
max_length,
(int)decimals));
- DBUG_VOID_RETURN;
+ DBUG_RETURN(FALSE);
}
@@ -1664,9 +1662,10 @@ void Item_sum_count::cleanup()
/*
Avgerage
*/
-void Item_sum_avg::fix_length_and_dec()
+bool Item_sum_avg::fix_length_and_dec()
{
- Item_sum_sum::fix_length_and_dec();
+ if (Item_sum_sum::fix_length_and_dec())
+ return TRUE;
maybe_null=null_value=1;
prec_increment= current_thd->variables.div_precincrement;
if (Item_sum_avg::result_type() == DECIMAL_RESULT)
@@ -1686,6 +1685,7 @@ void Item_sum_avg::fix_length_and_dec()
FLOATING_POINT_DECIMALS);
max_length= MY_MIN(args[0]->max_length + prec_increment, float_length(decimals));
}
+ return FALSE;
}
@@ -1884,7 +1884,7 @@ Item_sum_variance::Item_sum_variance(THD *thd, Item_sum_variance *item):
}
-void Item_sum_variance::fix_length_and_dec()
+bool Item_sum_variance::fix_length_and_dec()
{
DBUG_ENTER("Item_sum_variance::fix_length_and_dec");
maybe_null= null_value= 1;
@@ -1919,7 +1919,7 @@ void Item_sum_variance::fix_length_and_dec()
DBUG_ASSERT(0);
}
DBUG_PRINT("info", ("Type: REAL_RESULT (%d, %d)", max_length, (int)decimals));
- DBUG_VOID_RETURN;
+ DBUG_RETURN(FALSE);
}
@@ -2989,13 +2989,13 @@ my_decimal *Item_sum_udf_int::val_decimal(my_decimal *dec)
/** Default max_length is max argument length. */
-void Item_sum_udf_str::fix_length_and_dec()
+bool Item_sum_udf_str::fix_length_and_dec()
{
DBUG_ENTER("Item_sum_udf_str::fix_length_and_dec");
max_length=0;
for (uint i = 0; i < arg_count; i++)
set_if_bigger(max_length,args[i]->max_length);
- DBUG_VOID_RETURN;
+ DBUG_RETURN(FALSE);
}
--
cgit v1.2.1