From 0733ea7462dc16b2ec39b7fb4c73d5828fdd1444 Mon Sep 17 00:00:00 2001
From: "cmiller@calliope.local.cmiller/calliope.local" <>
Date: Fri, 9 Feb 2007 11:05:36 +0100
Subject: [PATCH] Bug#25126: Reference to non-existant column in UPDATE...ORDER
 BY... crashes server

"update existingtable set anycolumn=nonexisting order by nonexisting" would crash
the server.

Though we would find the reference to a field, that doesn't mean we can then use
it to set some values.  It could be a reference to another field.  If it is NULL,
don't try to use it to set values in the Item_field and instead return an error.

Over the previous patch, this signals an error at the location of the error, rather
than letting the subsequent deref signal it.
---
 mysql-test/r/order_by.result | 24 ++++++++++++++++++++++++
 mysql-test/t/order_by.test   | 30 ++++++++++++++++++++++++++++++
 sql/item.cc                  | 13 ++++++++++++-
 3 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/order_by.result b/mysql-test/r/order_by.result
index 320bb89b62e..a20a715a325 100644
--- a/mysql-test/r/order_by.result
+++ b/mysql-test/r/order_by.result
@@ -847,3 +847,27 @@ num	(select num + 2 FROM t1 LIMIT 1)
 SELECT a.a + 1 AS num FROM t1 a JOIN t1 b ON num = b.a;
 ERROR 42S22: Unknown column 'num' in 'on clause'
 DROP TABLE t1;
+CREATE TABLE bug25126 (
+val int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY
+);
+UPDATE bug25126 SET MissingCol = MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'field list'
+UPDATE bug25126 SET val = val ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET val = val ORDER BY val;
+UPDATE bug25126 SET val = 1 ORDER BY val;
+UPDATE bug25126 SET val = 1 ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET val = 1 ORDER BY val, MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET val = MissingCol ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = 1 ORDER BY val, MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = 1 ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = val ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = MissingCol ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+DROP TABLE bug25126;
diff --git a/mysql-test/t/order_by.test b/mysql-test/t/order_by.test
index a8024be7032..bfca5ddd15d 100644
--- a/mysql-test/t/order_by.test
+++ b/mysql-test/t/order_by.test
@@ -575,4 +575,34 @@ SELECT a + 1 AS num, (select num + 2 FROM t1 LIMIT 1) FROM t1;
 SELECT a.a + 1 AS num FROM t1 a JOIN t1 b ON num = b.a;
 DROP TABLE t1;
 
+#
+# Bug#25126: Reference to non-existant column in UPDATE...ORDER BY... 
+#       crashes server
+#
+CREATE TABLE bug25126 (
+  val int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY
+);
+--error 1054
+UPDATE bug25126 SET MissingCol = MissingCol;
+--error 1054
+UPDATE bug25126 SET val = val ORDER BY MissingCol;
+UPDATE bug25126 SET val = val ORDER BY val;
+UPDATE bug25126 SET val = 1 ORDER BY val;
+--error 1054
+UPDATE bug25126 SET val = 1 ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET val = 1 ORDER BY val, MissingCol;
+--error 1054
+UPDATE bug25126 SET val = MissingCol ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = 1 ORDER BY val, MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = 1 ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = val ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = MissingCol ORDER BY MissingCol;
+DROP TABLE bug25126;
+
+
 # End of 4.1 tests
diff --git a/sql/item.cc b/sql/item.cc
index 45d7856b2c1..3b7fa10902e 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -1771,7 +1771,18 @@ bool Item_field::fix_fields(THD *thd, TABLE_LIST *tables, Item **ref)
              use the field from the Item_field in the select list and leave
              the Item_field instance in place.
             */
-            set_field((*((Item_field**)res))->field);
+
+            Field *field= (*((Item_field**)res))->field;
+
+            if (field == NULL)
+            {
+              /* The column to which we link isn't valid. */
+              my_error(ER_BAD_FIELD_ERROR, MYF(0), (*res)->name, 
+                       current_thd->where);
+              return(1);
+            }
+
+            set_field(field);
             return 0;
           }
           else