database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING

Browse Source 
when resolving WHERE and ON clauses, do not look in
SELECT list/aliases.
This commit is contained in:
Sergei Golubchik
2022-04-29 14:50:47 +02:00
parent 8c34eab968
commit 0beed9b5e9
5 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
mysql-test/main/having.result
View File

@ -279,11 +279,7 @@ select t1.col1 as tmp_col from t1
where t1.col2 in where t1.col2 in
(select t2.col2 from t2 (select t2.col2 from t2
group by t2.col1, t2.col2 having tmp_col <= 10); group by t2.col1, t2.col2 having tmp_col <= 10);
tmp_col ERROR 42S22: Unknown column 'tmp_col' in 'having clause'
10
10
10
10
select t1.col1 from t1 select t1.col1 from t1
where t1.col2 in where t1.col2 in
(select t2.col2 from t2 (select t2.col2 from t2

3
mysql-test/main/having.test
View File

@ -249,7 +249,8 @@ where t1.col2 in
group by t2.col1, t2.col2 having t1.col1 <= 10); group by t2.col1, t2.col2 having t1.col1 <= 10);
# the having column is resolved in the SELECT clause of the outer query - # the having column is resolved in the SELECT clause of the outer query -
# error in ANSI, works with MySQL extension # error in ANSI
--error ER_BAD_FIELD_ERROR
select t1.col1 as tmp_col from t1 select t1.col1 as tmp_col from t1
where t1.col2 in where t1.col2 in
(select t2.col2 from t2 (select t2.col2 from t2

12
mysql-test/main/subselect_innodb.result
View File

@ -667,5 +667,17 @@ execute stmt;
a b a b
drop table t1,t2; drop table t1,t2;
# #
# MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
#
create table t1 (a text(60) not null) engine=innodb;
insert into t1 values ('1'),('0');
select distinct a from t1 where '' in (select 'x' like a having a like a);
a
1
0
Warnings:
Warning 1292 Truncated incorrect DOUBLE value: ''
drop table t1;
#
# End of 10.4 tests # End of 10.4 tests
# #

8
mysql-test/main/subselect_innodb.test
View File

@ -658,6 +658,14 @@ execute stmt;
drop table t1,t2; drop table t1,t2;
--echo #
--echo # MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
--echo #
create table t1 (a text(60) not null) engine=innodb;
insert into t1 values ('1'),('0');
select distinct a from t1 where '' in (select 'x' like a having a like a);
drop table t1;
--echo # --echo #
--echo # End of 10.4 tests --echo # End of 10.4 tests
--echo # --echo #

3
sql/sql_base.cc
View File

@ -8398,9 +8398,11 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
thd->lex->which_check_option_applicable(); thd->lex->which_check_option_applicable();
bool save_is_item_list_lookup= select_lex->is_item_list_lookup; bool save_is_item_list_lookup= select_lex->is_item_list_lookup;
TABLE_LIST *derived= select_lex->master_unit()->derived; TABLE_LIST *derived= select_lex->master_unit()->derived;
bool save_resolve_in_select_list= select_lex->context.resolve_in_select_list;
DBUG_ENTER("setup_conds"); DBUG_ENTER("setup_conds");
select_lex->is_item_list_lookup= 0; select_lex->is_item_list_lookup= 0;
select_lex->context.resolve_in_select_list= false;
thd->column_usage= MARK_COLUMNS_READ; thd->column_usage= MARK_COLUMNS_READ;
DBUG_PRINT("info", ("thd->column_usage: %d", thd->column_usage)); DBUG_PRINT("info", ("thd->column_usage: %d", thd->column_usage));
@ -8453,6 +8455,7 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
select_lex->where= *conds; select_lex->where= *conds;
} }
thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup; thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
select_lex->context.resolve_in_select_list= save_resolve_in_select_list;
DBUG_RETURN(thd->is_error()); DBUG_RETURN(thd->is_error());
err_no_arena: err_no_arena: