From 0beed9b5e933f0ff79b3bb346524f7a451d14e38 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Fri, 29 Apr 2022 14:50:47 +0200 Subject: [PATCH] MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING when resolving WHERE and ON clauses, do not look in SELECT list/aliases. --- mysql-test/main/having.result | 6 +----- mysql-test/main/having.test | 3 ++- mysql-test/main/subselect_innodb.result | 12 ++++++++++++ mysql-test/main/subselect_innodb.test | 8 ++++++++ sql/sql_base.cc | 3 +++ 5 files changed, 26 insertions(+), 6 deletions(-) diff --git a/mysql-test/main/having.result b/mysql-test/main/having.result index 8800402dc35..b4ca607ec84 100644 --- a/mysql-test/main/having.result +++ b/mysql-test/main/having.result @@ -279,11 +279,7 @@ select t1.col1 as tmp_col from t1 where t1.col2 in (select t2.col2 from t2 group by t2.col1, t2.col2 having tmp_col <= 10); -tmp_col -10 -10 -10 -10 +ERROR 42S22: Unknown column 'tmp_col' in 'having clause' select t1.col1 from t1 where t1.col2 in (select t2.col2 from t2 diff --git a/mysql-test/main/having.test b/mysql-test/main/having.test index b3b128684a3..3f4e8a8e710 100644 --- a/mysql-test/main/having.test +++ b/mysql-test/main/having.test @@ -249,7 +249,8 @@ where t1.col2 in group by t2.col1, t2.col2 having t1.col1 <= 10); # the having column is resolved in the SELECT clause of the outer query - -# error in ANSI, works with MySQL extension +# error in ANSI +--error ER_BAD_FIELD_ERROR select t1.col1 as tmp_col from t1 where t1.col2 in (select t2.col2 from t2 diff --git a/mysql-test/main/subselect_innodb.result b/mysql-test/main/subselect_innodb.result index ae22329f62a..467ed218198 100644 --- a/mysql-test/main/subselect_innodb.result +++ b/mysql-test/main/subselect_innodb.result @@ -667,5 +667,17 @@ execute stmt; a b drop table t1,t2; # +# MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING +# +create table t1 (a text(60) not null) engine=innodb; +insert into t1 values ('1'),('0'); +select distinct a from t1 where '' in (select 'x' like a having a like a); +a +1 +0 +Warnings: +Warning 1292 Truncated incorrect DOUBLE value: '' +drop table t1; +# # End of 10.4 tests # diff --git a/mysql-test/main/subselect_innodb.test b/mysql-test/main/subselect_innodb.test index e767891c8db..8ff3a5acf7d 100644 --- a/mysql-test/main/subselect_innodb.test +++ b/mysql-test/main/subselect_innodb.test @@ -658,6 +658,14 @@ execute stmt; drop table t1,t2; +--echo # +--echo # MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING +--echo # +create table t1 (a text(60) not null) engine=innodb; +insert into t1 values ('1'),('0'); +select distinct a from t1 where '' in (select 'x' like a having a like a); +drop table t1; + --echo # --echo # End of 10.4 tests --echo # diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 14b97b43660..ef7a075e304 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -8398,9 +8398,11 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List &leaves, thd->lex->which_check_option_applicable(); bool save_is_item_list_lookup= select_lex->is_item_list_lookup; TABLE_LIST *derived= select_lex->master_unit()->derived; + bool save_resolve_in_select_list= select_lex->context.resolve_in_select_list; DBUG_ENTER("setup_conds"); select_lex->is_item_list_lookup= 0; + select_lex->context.resolve_in_select_list= false; thd->column_usage= MARK_COLUMNS_READ; DBUG_PRINT("info", ("thd->column_usage: %d", thd->column_usage)); @@ -8453,6 +8455,7 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List &leaves, select_lex->where= *conds; } thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup; + select_lex->context.resolve_in_select_list= save_resolve_in_select_list; DBUG_RETURN(thd->is_error()); err_no_arena: