From f8c3d5927445dcd75f31ed8e9fb3cfcc07c3ed8f Mon Sep 17 00:00:00 2001
From: Nayuta Yanagisawa <nayuta.yanagisawa@hey.com>
Date: Tue, 4 Jan 2022 13:21:14 +0900
Subject: MDEV-26583 SIGSEGV's in spider_get_select_limit_from_select_lex when
 DELAYED INSERT is used

Spider dereferences a freed select_lex and then results in SIGSEGV.
---
 sql/sql_insert.cc | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'sql/sql_insert.cc')

diff --git a/sql/sql_insert.cc b/sql/sql_insert.cc
index 0f454e74a48..460fbba4ac5 100644
--- a/sql/sql_insert.cc
+++ b/sql/sql_insert.cc
@@ -2423,6 +2423,11 @@ bool delayed_get_table(THD *thd, MDL_request *grl_protection_request,
       di->table_list.alias.str=    di->table_list.table_name.str=    di->thd.query();
       di->table_list.alias.length= di->table_list.table_name.length= di->thd.query_length();
       di->table_list.db= di->thd.db;
+      /*
+        Nulify select_lex because, if the thread that spawned the current one
+        disconnects, the select_lex will point to freed memory.
+      */
+      di->table_list.select_lex= NULL;
       /*
         We need the tickets so that they can be cloned in
         handle_delayed_insert
-- 
cgit v1.2.1