Mirrors
/
mariadb
mirror of https://github.com/MariaDB/server
3
0
Fork 0
Code Releases Activity
Browse Source

MDEV-7821 Server crashes in Item_func_group_concat::fix_fields on 2nd execution of PS 

Correct fix for this bug.

The problem was that Item_func_group_concat() was calling
setup_order(), passing args as the second argument,
ref_pointer_array. While ref_pointer_array should have free
space at the end, as setup_order() can append elements to it.

In this particular case args[] elements were overwritten when
setup_order() was pushing new elements into ref_pointer_array.
pull/109/head
Sergei Golubchik 10 years ago
parent
409709ec7e
commit
96badb16af
2 changed files with 11 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      sql/item_sum.cc
  2. 1
      sql/item_sum.h

14
sql/item_sum.cc
View File

@ -3300,8 +3300,6 @@ void Item_func_group_concat::cleanup()
from Item_func_group_concat::setup() to point to runtime from Item_func_group_concat::setup() to point to runtime
created objects, we need to reset them back to the original created objects, we need to reset them back to the original
arguments of the function. arguments of the function.
The very same applies to args array.
*/ */
ORDER **order_ptr= order; ORDER **order_ptr= order;
for (uint i= 0; i < arg_count_order; i++) for (uint i= 0; i < arg_count_order; i++)
@ -3309,7 +3307,6 @@ void Item_func_group_concat::cleanup()
(*order_ptr)->item= &args[arg_count_field + i]; (*order_ptr)->item= &args[arg_count_field + i];
order_ptr++; order_ptr++;
} }
memcpy(args, orig_args, sizeof(Item *) * arg_count);
DBUG_VOID_RETURN; DBUG_VOID_RETURN;
} }
@ -3517,9 +3514,16 @@ bool Item_func_group_concat::setup(THD *thd)
"all_fields". The resulting field list is used as input to create "all_fields". The resulting field list is used as input to create
tmp table columns. tmp table columns.
*/ */
if (arg_count_order &&
setup_order(thd, args, context->table_list, list, all_fields, *order))
if (arg_count_order)
{
uint n_elems= arg_count_order + all_fields.elements;
ref_pointer_array= static_cast<Item**>(thd->alloc(sizeof(Item*) * n_elems));
memcpy(ref_pointer_array, args, arg_count * sizeof(Item*));
if (!ref_pointer_array ||
setup_order(thd, ref_pointer_array, context->table_list, list,
all_fields, *order))
DBUG_RETURN(TRUE); DBUG_RETURN(TRUE);
}
count_field_types(select_lex, tmp_table_param, all_fields, 0); count_field_types(select_lex, tmp_table_param, all_fields, 0);
tmp_table_param->force_copy_fields= force_copy_fields; tmp_table_param->force_copy_fields= force_copy_fields;

1
sql/item_sum.h
View File

@ -1394,6 +1394,7 @@ class Item_func_group_concat : public Item_sum
String *separator; String *separator;
TREE tree_base; TREE tree_base;
TREE *tree; TREE *tree;
Item **ref_pointer_array;
/** /**
If DISTINCT is used with this GROUP_CONCAT, this member is used to filter If DISTINCT is used with this GROUP_CONCAT, this member is used to filter

Write Preview
Loading…
Cancel
Save