backport: Bug #55568 from 5.1-security to 5.0-security

> revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h > parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53 > committer: Alexey Kopytov <Alexey.Kopytov@Sun.com> > branch nick: 5.1-security > timestamp: Tue 2010-08-24 14:35:48 +0400 > message: > Bug #55568: user variable assignments crash server when used > within query > > The server could crash after materializing a derived table > which requires a temporary table for grouping. > > When destroying the temporary table used to execute a query for > a derived table, JOIN::destroy() did not clean up Item_fields > pointing to fields in the temporary table. This led to > dereferencing a dangling pointer when printing out the items > tree later in the outer SELECT. > > The solution is an addendum to the patch for bug37362: in > addition to cleaning up items in tmp_all_fields3, do the same > for items in tmp_all_fields1, since now we have an example > where this is necessary.
2026-01-06 05:22:24 +03:00 · 2010-11-23 00:29:47 +03:00
parent b318882949
commit 3586f7727f
5 changed files with 114 additions and 8 deletions
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -2226,13 +2226,8 @@ JOIN::destroy()

  cleanup(1);
 /* Cleanup items referencing temporary table columns */
-  if (!tmp_all_fields3.is_empty())
-  {
-    List_iterator_fast<Item> it(tmp_all_fields3);
-    Item *item;
-    while ((item= it++))
-      item->cleanup();
-  }
+  cleanup_item_list(tmp_all_fields1);
+  cleanup_item_list(tmp_all_fields3);
  if (exec_tmp_table1)
    free_tmp_table(thd, exec_tmp_table1);
  if (exec_tmp_table2)
@@ -2243,6 +2238,19 @@ JOIN::destroy()
  DBUG_RETURN(error);
 }

+
+void JOIN::cleanup_item_list(List<Item> &items) const
+{
+  if (!items.is_empty())
+  {
+    List_iterator_fast<Item> it(items);
+    Item *item;
+    while ((item= it++))
+      item->cleanup();
+  }
+}
+
+
 /*
  An entry point to single-unit select (a select without UNION).