From 8dbfaa2aa4d6158f81bba3f5a46d683912b06868 Mon Sep 17 00:00:00 2001 From: Sergei Petrunia Date: Wed, 4 May 2022 12:24:14 +0300 Subject: MDEV-28437: Assertion `!eliminated' failed in Item_subselect::exec (This is the assert that was added in fix for MDEV-26047) Table elimination may remove an ON expression from an outer join. However SELECT_LEX::update_used_tables() will still call item->walk(&Item::eval_not_null_tables) for eliminated expressions. If the subquery is constant and cheap Item_cond_and will attempt to evaluate it, which will trigger an assert. The fix is not to call update_used_tables() or eval_not_null_tables() for ON expressions that were eliminated. --- sql/sql_select.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql/sql_select.cc') diff --git a/sql/sql_select.cc b/sql/sql_select.cc index e9d81417ee6..82792bbc723 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -25495,7 +25495,7 @@ static void print_table_array(THD *thd, too) */ -static bool is_eliminated_table(table_map eliminated_tables, TABLE_LIST *tbl) +bool is_eliminated_table(table_map eliminated_tables, TABLE_LIST *tbl) { return eliminated_tables && ((tbl->table && (tbl->table->map & eliminated_tables)) || -- cgit v1.2.1 From 141ab971d8d31968ac7104e71801c6ec75638af3 Mon Sep 17 00:00:00 2001 From: Oleksandr Byelkin Date: Wed, 4 May 2022 19:51:26 +0200 Subject: MDEV-28402 ASAN heap-use-after-free in create_tmp_table, Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0' Make default() function follow Item_field and use get_tmp_table_item() for change_to_use_tmp_fields(). --- sql/sql_select.cc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sql/sql_select.cc') diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 82792bbc723..760730d799c 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -23727,12 +23727,14 @@ change_to_use_tmp_fields(THD *thd, Ref_ptr_array ref_pointer_array, for (uint i= 0; (item= it++); i++) { Field *field; - if ((item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM) || + enum Item::Type item_type= item->type(); + if ((item->with_sum_func && item_type != Item::SUM_FUNC_ITEM) || item->with_window_func) item_field= item; - else if (item->type() == Item::FIELD_ITEM) + else if (item_type == Item::FIELD_ITEM || + item_type == Item::DEFAULT_VALUE_ITEM) item_field= item->get_tmp_table_item(thd); - else if (item->type() == Item::FUNC_ITEM && + else if (item_type == Item::FUNC_ITEM && ((Item_func*)item)->functype() == Item_func::SUSERVAR_FUNC) { field= item->get_tmp_table_field(); -- cgit v1.2.1