From dd6dc7adea58d3a325c9a00d92c3ebfe038aa3ae Mon Sep 17 00:00:00 2001
From: unknown <sergefp@mysql.com>
Date: Fri, 1 Sep 2006 13:23:43 +0400
Subject: [PATCH] BUG#21477 "memory overruns for certain kinds of subqueries":
 make st_select_lex::setup_ref_array() take into account that
 Item_sum-descendant objects located within descendant SELECTs may be added
 into ref_pointer_array.

sql/item_sum.cc:
  BUG#21477 "memory overruns for certain kinds of subqueries":
  Make SELECT_LEX::n_sum_items contain # of Item_sum-derived objects
  that exist within this SELECT.
sql/sql_lex.h:
  BUG#21477 "memory overruns for certain kinds of subqueries":
  Add SELECT_LEX::n_sum_items and SELECT_LEXT::n_child_sum_items.
sql/sql_yacc.yy:
  BUG#21477 "memory overruns for certain kinds of subqueries":
  Make SELECT_LEX::n_sum_items contain # of Item_sum-derived objects
  that exist within this SELECT.
---
 sql/item_sum.cc | 4 +++-
 sql/sql_lex.cc  | 8 ++++----
 sql/sql_lex.h   | 8 +++++++-
 sql/sql_yacc.yy | 2 ++
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index 0d2a5b3b080..bcd8270e52f 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -290,7 +290,9 @@ Item_sum::Item_sum(THD *thd, Item_sum *item):
 
 void Item_sum::mark_as_sum_func()
 {
-  current_thd->lex->current_select->with_sum_func= 1;
+  SELECT_LEX *cur_select= current_thd->lex->current_select;
+  cur_select->n_sum_items++;
+  cur_select->with_sum_func= 1;
   with_sum_func= 1;
 }
 
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index 563ebce4ff7..035c575724e 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -1521,10 +1521,10 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
   */
   Query_arena *arena= thd->stmt_arena;
   return (ref_pointer_array=
-          (Item **)arena->alloc(sizeof(Item*) *
-                                (item_list.elements +
-                                 select_n_having_items +
-                                 order_group_num)* 5)) == 0;
+          (Item **)arena->alloc(sizeof(Item*) * (n_child_sum_items +
+                                                 item_list.elements +
+                                                 select_n_having_items +
+                                                 order_group_num)*5)) == 0;
 }
 
 
diff --git a/sql/sql_lex.h b/sql/sql_lex.h
index 220d928ccf7..fe6d60a218d 100644
--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -548,6 +548,12 @@ public:
   bool  braces;   	/* SELECT ... UNION (SELECT ... ) <- this braces */
   /* TRUE when having fix field called in processing of this SELECT */
   bool having_fix_field;
+
+  /* Number of Item_sum-derived objects in this SELECT */
+  uint n_sum_items;
+  /* Number of Item_sum-derived objects in children and descendant SELECTs */
+  uint n_child_sum_items;
+
   /* explicit LIMIT clause was used */
   bool explicit_limit;
   /*
@@ -640,7 +646,7 @@ public:
   bool test_limit();
 
   friend void lex_start(THD *thd, uchar *buf, uint length);
-  st_select_lex() {}
+  st_select_lex() : n_sum_items(0), n_child_sum_items(0) {}
   void make_empty_select()
   {
     init_query();
diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index d2aca27c836..43204a33d70 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -8927,8 +8927,10 @@ subselect_end:
 	{
 	  LEX *lex=Lex;
           lex->pop_context();
+          SELECT_LEX *child= lex->current_select;
 	  lex->current_select = lex->current_select->return_after_parsing();
           lex->nest_level--;
+          lex->current_select->n_child_sum_items += child->n_sum_items;
 	};
 
 /**************************************************************************