From 47f2b16a8cd6d3e50c49be4b868ac7dff9fefc88 Mon Sep 17 00:00:00 2001 From: Dmitry Shulga Date: Thu, 7 Dec 2023 20:16:41 +0700 Subject: [PATCH] MDEV-31296: Crash in Item_func::fix_fields when prepared statement with subqueries and window function is executed with sql_mode = ONLY_FULL_GROUP_BY Crash was caused by referencing a null pointer on getting the number of the nesting levels of the set function for the current select_lex at the method Item_field::fix_fields. The current select for processing is taken from Name_resolution_context that filled in at the function set_new_item_local_context() and where initialization of the data member Name_resolution_context was mistakenly removed by the commit d6ee351bbb66b023e8c477b039aa469b053f84ad (Revert "MDEV-24454 Crash at change_item_tree") To fix the issue, correct initialization of data member Name_resolution_context::select_lex that was removed by the commit d6ee351bbb66b023e8c477b039aa469b053f84ad is restored. --- mysql-test/main/win.result | 13 +++++++++++++ mysql-test/main/win.test | 14 ++++++++++++++ .../suite/encryption/r/tempfiles_encrypted.result | 13 +++++++++++++ sql/sql_base.cc | 1 + 4 files changed, 41 insertions(+) diff --git a/mysql-test/main/win.result b/mysql-test/main/win.result index bcfea2f1419..249ada4383a 100644 --- a/mysql-test/main/win.result +++ b/mysql-test/main/win.result @@ -4415,5 +4415,18 @@ NULL DROP FUNCTION f; DROP TABLE t; # +# MDEV-31296: Crash in Item_func::fix_fields when prepared statement +# with subqueries and window function is executed with +# sql_mode = ONLY_FULL_GROUP_BY +# +CREATE TABLE t1 ( a INT, i INT) ; +CREATE TABLE t2 ( a INT); +INSERT INTO t2 VALUES (4000); +SET SESSION sql_mode = "ONLY_FULL_GROUP_BY"; +EXECUTE IMMEDIATE "SELECT SUM(i) OVER (ORDER BY i) FROM t1 NATURAL JOIN t2"; +SUM(i) OVER (ORDER BY i) +# Clean up +DROP TABLE t1, t2; +# # End of 10.6 tests # diff --git a/mysql-test/main/win.test b/mysql-test/main/win.test index 0c610f35453..2eed8783d44 100644 --- a/mysql-test/main/win.test +++ b/mysql-test/main/win.test @@ -2898,6 +2898,20 @@ EXECUTE IMMEDIATE "SELECT LEAD(c) OVER (ORDER BY c) FROM (SELECT 1 AS c) AS a NA DROP FUNCTION f; DROP TABLE t; +--echo # +--echo # MDEV-31296: Crash in Item_func::fix_fields when prepared statement +--echo # with subqueries and window function is executed with +--echo # sql_mode = ONLY_FULL_GROUP_BY +--echo # +CREATE TABLE t1 ( a INT, i INT) ; +CREATE TABLE t2 ( a INT); +INSERT INTO t2 VALUES (4000); +SET SESSION sql_mode = "ONLY_FULL_GROUP_BY"; +EXECUTE IMMEDIATE "SELECT SUM(i) OVER (ORDER BY i) FROM t1 NATURAL JOIN t2"; + +--echo # Clean up +DROP TABLE t1, t2; + --echo # --echo # End of 10.6 tests --echo # diff --git a/mysql-test/suite/encryption/r/tempfiles_encrypted.result b/mysql-test/suite/encryption/r/tempfiles_encrypted.result index 9dfca3aadcb..87e1536b55d 100644 --- a/mysql-test/suite/encryption/r/tempfiles_encrypted.result +++ b/mysql-test/suite/encryption/r/tempfiles_encrypted.result @@ -4421,6 +4421,19 @@ NULL DROP FUNCTION f; DROP TABLE t; # +# MDEV-31296: Crash in Item_func::fix_fields when prepared statement +# with subqueries and window function is executed with +# sql_mode = ONLY_FULL_GROUP_BY +# +CREATE TABLE t1 ( a INT, i INT) ; +CREATE TABLE t2 ( a INT); +INSERT INTO t2 VALUES (4000); +SET SESSION sql_mode = "ONLY_FULL_GROUP_BY"; +EXECUTE IMMEDIATE "SELECT SUM(i) OVER (ORDER BY i) FROM t1 NATURAL JOIN t2"; +SUM(i) OVER (ORDER BY i) +# Clean up +DROP TABLE t1, t2; +# # End of 10.6 tests # # diff --git a/sql/sql_base.cc b/sql/sql_base.cc index 39ad812e9c0..2bb9aaec322 100644 --- a/sql/sql_base.cc +++ b/sql/sql_base.cc @@ -6930,6 +6930,7 @@ set_new_item_local_context(THD *thd, Item_ident *item, TABLE_LIST *table_ref) if (!(context= new (thd->mem_root) Name_resolution_context)) return TRUE; context->init(); + context->select_lex= table_ref->select_lex; context->first_name_resolution_table= context->last_name_resolution_table= table_ref; item->context= context;