Commit 7799c323 authored by Sergey Glukhov's avatar Sergey Glukhov

5.1-security->5.5-security

parents b41e2289 c04bf683
...@@ -1038,6 +1038,14 @@ GROUP_CONCAT(t1.a ORDER BY t1.a) ...@@ -1038,6 +1038,14 @@ GROUP_CONCAT(t1.a ORDER BY t1.a)
1,1,2,2 1,1,2,2
DEALLOCATE PREPARE stmt; DEALLOCATE PREPARE stmt;
DROP TABLE t1; DROP TABLE t1;
#
# Bug#57194 group_concat cause crash and/or invalid memory reads with type errors
#
CREATE TABLE t1(f1 int);
INSERT INTO t1 values (0),(0);
SELECT POLYGON((SELECT 1 FROM (SELECT 1 IN (GROUP_CONCAT(t1.f1)) FROM t1, t1 t GROUP BY t.f1 ) d));
ERROR 22007: Illegal non geometric '(select 1 from (select (1 = group_concat(`test`.`t1`.`f1` separator ',')) AS `1 IN (GROUP_CONCAT(t1.f1))` from `test`.`t1` join `test`.`t1` `t` group by `t`.`f1`) `d`)' value found during parsing
DROP TABLE t1;
End of 5.1 tests End of 5.1 tests
DROP TABLE IF EXISTS t1, t2; DROP TABLE IF EXISTS t1, t2;
CREATE TABLE t1 (a VARCHAR(6), b INT); CREATE TABLE t1 (a VARCHAR(6), b INT);
......
...@@ -738,6 +738,15 @@ EXECUTE stmt; ...@@ -738,6 +738,15 @@ EXECUTE stmt;
DEALLOCATE PREPARE stmt; DEALLOCATE PREPARE stmt;
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # Bug#57194 group_concat cause crash and/or invalid memory reads with type errors
--echo #
CREATE TABLE t1(f1 int);
INSERT INTO t1 values (0),(0);
--error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT POLYGON((SELECT 1 FROM (SELECT 1 IN (GROUP_CONCAT(t1.f1)) FROM t1, t1 t GROUP BY t.f1 ) d));
DROP TABLE t1;
--echo End of 5.1 tests --echo End of 5.1 tests
......
...@@ -3395,8 +3395,6 @@ String* Item_func_group_concat::val_str(String* str) ...@@ -3395,8 +3395,6 @@ String* Item_func_group_concat::val_str(String* str)
void Item_func_group_concat::print(String *str, enum_query_type query_type) void Item_func_group_concat::print(String *str, enum_query_type query_type)
{ {
/* orig_args is not filled with valid values until fix_fields() */
Item **pargs= fixed ? orig_args : args;
str->append(STRING_WITH_LEN("group_concat(")); str->append(STRING_WITH_LEN("group_concat("));
if (distinct) if (distinct)
str->append(STRING_WITH_LEN("distinct ")); str->append(STRING_WITH_LEN("distinct "));
...@@ -3404,7 +3402,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type) ...@@ -3404,7 +3402,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type)
{ {
if (i) if (i)
str->append(','); str->append(',');
pargs[i]->print(str, query_type); orig_args[i]->print(str, query_type);
} }
if (arg_count_order) if (arg_count_order)
{ {
...@@ -3413,7 +3411,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type) ...@@ -3413,7 +3411,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type)
{ {
if (i) if (i)
str->append(','); str->append(',');
pargs[i + arg_count_field]->print(str, query_type); orig_args[i + arg_count_field]->print(str, query_type);
if (order[i]->asc) if (order[i]->asc)
str->append(STRING_WITH_LEN(" ASC")); str->append(STRING_WITH_LEN(" ASC"));
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment