From 49c8d8b2e613e7c28663df0234e6d98d727eaebd Mon Sep 17 00:00:00 2001
From: unknown <timour@askmonty.org>
Date: Fri, 9 Nov 2012 13:07:32 +0200
Subject: [PATCH] MDEV-3810 fix.

The problem is that memory alocated by copy_andor_structure() well be freed,
but if level of SELECT_LEX it will be excluded (in case of merge derived tables and view)
then sl->where/having will not be updated here but still can be accessed (so it will be access to freed memory).

(patch by Sanja)
---
 sql/sql_prepare.cc | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sql/sql_prepare.cc b/sql/sql_prepare.cc
index 9e8a6b941c6..d91d03d24ee 100644
--- a/sql/sql_prepare.cc
+++ b/sql/sql_prepare.cc
@@ -2447,14 +2447,24 @@ void reinit_stmt_before_use(THD *thd, LEX *lex)
       */
       if (sl->prep_where)
       {
-        sl->where= sl->prep_where->copy_andor_structure(thd);
+        /*
+          We need this rollback because memory allocated in
+          copy_andor_structure() will be freed
+        */
+        thd->change_item_tree((Item**)&sl->where,
+                              sl->prep_where->copy_andor_structure(thd));
         sl->where->cleanup();
       }
       else
         sl->where= NULL;
       if (sl->prep_having)
       {
-        sl->having= sl->prep_having->copy_andor_structure(thd);
+        /*
+          We need this rollback because memory allocated in
+          copy_andor_structure() will be freed
+        */
+        thd->change_item_tree((Item**)&sl->having,
+                              sl->prep_having->copy_andor_structure(thd));
         sl->having->cleanup();
       }
       else