database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

Bug#25126: Wrongly resolved field leads to a crash.

Browse Source 
When the ORDER BY clause gets fixed it's allowed to search in the current
item_list in order to find aliased fields and expressions. This is ok for a
SELECT but wrong for an UPDATE statement. If the ORDER BY clause will
contain a non-existing field which is mentioned in the UPDATE set list
then the server will crash due to using of non-existing (0x0) field.

When an Item_field is getting fixed it's allowed to search item list for
aliased expressions and fields only for selects.
This commit is contained in:
evgen@sunlight.local
2007-03-04 00:47:42 +03:00
parent cf9aca84b3
commit 629c12316d
4 changed files with 44 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
sql/sql_select.cc
View File

@ -265,6 +265,7 @@ JOIN::prepare(Item ***rref_pointer_array,
select_lex->join= this;
union_part= (unit_arg->first_select()->next_select() != 0);
thd->lex->current_select->is_item_list_lookup= 1;
/* Check that all tables, fields, conds and order are ok */
if (setup_tables(tables_list) ||
@ -8702,16 +8703,12 @@ find_order_in_list(THD *thd, Item **ref_pointer_array,
'it' reassigned in if condition because fix_field can change it.
*/
thd->lex->current_select->is_item_list_lookup= 1;
if (!it->fixed &&
(it->fix_fields(thd, tables, order->item) ||
(it= *order->item)->check_cols(1) ||
thd->is_fatal_error))
{
thd->lex->current_select->is_item_list_lookup= 0;
return 1; // Wrong field
}
thd->lex->current_select->is_item_list_lookup= 0;
uint el= all_fields.elements;
all_fields.push_front(it); // Add new field to field list
ref_pointer_array[el]= it;