Bug #55568: user variable assignments crash server when used

within query The server could crash after materializing a derived table which requires a temporary table for grouping. When destroying the temporary table used to execute a query for a derived table, JOIN::destroy() did not clean up Item_fields pointing to fields in the temporary table. This led to dereferencing a dangling pointer when printing out the items tree later in the outer SELECT. The solution is an addendum to the patch for bug37362: in addition to cleaning up items in tmp_all_fields3, do the same for items in tmp_all_fields1, since now we have an example where this is necessary.
2025-07-30 16:24:05 +03:00 · 2010-08-24 14:35:48 +04:00
parent 62aa8943b8
commit 0e74ac5028
5 changed files with 114 additions and 8 deletions
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@ -2378,13 +2378,8 @@ JOIN::destroy()

  cleanup(1);
 /* Cleanup items referencing temporary table columns */
-  if (!tmp_all_fields3.is_empty())
-  {
-    List_iterator_fast<Item> it(tmp_all_fields3);
-    Item *item;
-    while ((item= it++))
-      item->cleanup();
-  }
+  cleanup_item_list(tmp_all_fields1);
+  cleanup_item_list(tmp_all_fields3);
  if (exec_tmp_table1)
    free_tmp_table(thd, exec_tmp_table1);
  if (exec_tmp_table2)
@ -2395,6 +2390,19 @@ JOIN::destroy()
  DBUG_RETURN(error);
 }

+
+void JOIN::cleanup_item_list(List<Item> &items) const
+{
+  if (!items.is_empty())
+  {
+    List_iterator_fast<Item> it(items);
+    Item *item;
+    while ((item= it++))
+      item->cleanup();
+  }
+}
+
+
 /**
  An entry point to single-unit select (a select without UNION).