From 0ad7fc58c7e149fe7885d6a3558637f87513047a Mon Sep 17 00:00:00 2001
From: unknown <evgen@moonbone.local>
Date: Fri, 7 Dec 2007 22:54:47 +0300
Subject: [PATCH] Bug#32482: Crash for a query with ORDER BY a user variable.

The Item_func_set_user_var::register_field_in_read_map() did not check
that the result_field was null.This caused server crashes for queries that
required order by such a field and were executed without using a temporary
table.

The Item_func_set_user_var::register_field_in_read_map() now checks the
result_field to be not null.


mysql-test/t/user_var.test:
  Added a test case for the bug#32482: Crash for a query with ORDER BY a user variable.
mysql-test/r/user_var.result:
  Added a test case for the bug#32482: Crash for a query with ORDER BY a user variable.
sql/item_func.cc:
  Bug#32482: Crash for a query with ORDER BY a user variable.
  The Item_func_set_user_var::register_field_in_read_map() now checks the
  result_field to be not null.
---
 mysql-test/r/user_var.result | 7 +++++++
 mysql-test/t/user_var.test   | 8 ++++++++
 sql/item_func.cc             | 9 ++++++---
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result
index 6fd7b39f22..2988a13de4 100644
--- a/mysql-test/r/user_var.result
+++ b/mysql-test/r/user_var.result
@@ -353,3 +353,10 @@ select @a:=f4, count(f4) from t1 group by 1 desc;
 2.6	1
 1.6	4
 drop table t1;
+create table t1 (f1 int);
+insert into t1 values (2), (1);
+select @i := f1 as j from t1 order by 1;
+j
+1
+2
+drop table t1;
diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test
index 3a3e8f88f8..ca02e0b5f2 100644
--- a/mysql-test/t/user_var.test
+++ b/mysql-test/t/user_var.test
@@ -237,3 +237,11 @@ select @a:=f2, count(f2) from t1 group by 1 desc;
 select @a:=f3, count(f3) from t1 group by 1 desc;
 select @a:=f4, count(f4) from t1 group by 1 desc;
 drop table t1;
+
+#
+# Bug#32482: Crash for a query with ORDER BY a user variable.
+#
+create table t1 (f1 int);
+insert into t1 values (2), (1);
+select @i := f1 as j from t1 order by 1;
+drop table t1;
diff --git a/sql/item_func.cc b/sql/item_func.cc
index e255197920..41de960a37 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -3848,9 +3848,12 @@ Item_func_set_user_var::fix_length_and_dec()
 
 bool Item_func_set_user_var::register_field_in_read_map(uchar *arg)
 {
-  TABLE *table= (TABLE *) arg;
-  if (result_field->table == table || !table)
-    bitmap_set_bit(result_field->table->read_set, result_field->field_index);
+  if (result_field)
+  {
+    TABLE *table= (TABLE *) arg;
+    if (result_field->table == table || !table)
+      bitmap_set_bit(result_field->table->read_set, result_field->field_index);
+  }
   return 0;
 }
 
-- 
2.30.9