Bug #19814337 - SERVER CRASHES IN ITEM_FUNC_GROUP_CONCAT::FIX_FIELDS ON

3RD EXECUTION OF PS Problem: When order by is by a column number for a group concat function which has an outer reference, server fails in case of prepared statements on the third execution Analysis: When a group concat function has order by, the fields in order by are not resolved until execution if the input is a column number. During execution they get resolved after the temp table gets created. As a result they will be pointing to temp table fields which are runtime created objects. This results in dangling pointers leading to server failure. Solution: Reset the pointers for the order by fields to point to the original arguments after execution as they are invalid. Done in Item_func_group_concat::cleanup.
2025-08-21 16:03:24 +03:00 · 2015-02-26 09:59:00 +05:30
parent 2e3c2cd362
commit 08763096cb
1 changed files with 14 additions and 1 deletions
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
   rights reserved.

   This program is free software; you can redistribute it and/or modify
@@ -3174,6 +3174,19 @@ void Item_func_group_concat::cleanup()
    }
    DBUG_ASSERT(tree == 0);
  }
+  /*
+    As the ORDER structures pointed to by the elements of the
+    'order' array may be modified in find_order_in_list() called
+    from Item_func_group_concat::setup() to point to runtime
+    created objects, we need to reset them back to the original
+    arguments of the function.
+  */
+  ORDER **order_ptr= order;
+  for (uint i= 0; i < arg_count_order; i++)
+  {
+    (*order_ptr)->item= &args[arg_count_field + i];
+    order_ptr++;
+  }
  DBUG_VOID_RETURN;
 }