• Gleb Shchepa's avatar
    backport: Bug #55568 from 5.1-security to 5.0-security · 3586f772
    Gleb Shchepa authored
    > revision-id: alexey.kopytov@sun.com-20100824103548-ikm79qlfrvggyj9h
    > parent: sunny.bains@oracle.com-20100816001222-xqc447tr6jwh8c53
    > committer: Alexey Kopytov <Alexey.Kopytov@Sun.com>
    > branch nick: 5.1-security
    > timestamp: Tue 2010-08-24 14:35:48 +0400
    > message:
    >   Bug #55568: user variable assignments crash server when used
    >               within query
    >   
    >   The server could crash after materializing a derived table
    >   which requires a temporary table for grouping.
    >   
    >   When destroying the temporary table used to execute a query for
    >   a derived table, JOIN::destroy() did not clean up Item_fields
    >   pointing to fields in the temporary table. This led to
    >   dereferencing a dangling pointer when printing out the items
    >   tree later in the outer SELECT.
    >   
    >   The solution is an addendum to the patch for bug37362: in
    >   addition to cleaning up items in tmp_all_fields3, do the same
    >   for items in tmp_all_fields1, since now we have an example
    >   where this is necessary.
    3586f772
sql_select.cc 510 KB