Commit c04bf683 authored by Sergey Glukhov's avatar Sergey Glukhov

Bug#57194 group_concat cause crash and/or invalid memory reads with type errors

The problem is caused by bug49487 fix and became visible
after after bug56679 fix.
Items are cleaned up and set to unfixed state after filling derived table.
So we can not rely on item::fixed state in Item_func_group_concat::print
and we can not use 'args' array as items there may be cleaned up.
The fix is always to use orig_args array of items as it
always should contain the correct data.


mysql-test/r/func_gconcat.result:
  test case
mysql-test/t/func_gconcat.test:
  test case
sql/item_sum.cc:
  The fix is always to use orig_args array of items.
parent c7371c9e
...@@ -1029,4 +1029,12 @@ GROUP_CONCAT(t1.a ORDER BY t1.a) ...@@ -1029,4 +1029,12 @@ GROUP_CONCAT(t1.a ORDER BY t1.a)
1,1,2,2 1,1,2,2
DEALLOCATE PREPARE stmt; DEALLOCATE PREPARE stmt;
DROP TABLE t1; DROP TABLE t1;
#
# Bug#57194 group_concat cause crash and/or invalid memory reads with type errors
#
CREATE TABLE t1(f1 int);
INSERT INTO t1 values (0),(0);
SELECT POLYGON((SELECT 1 FROM (SELECT 1 IN (GROUP_CONCAT(t1.f1)) FROM t1, t1 t GROUP BY t.f1 ) d));
ERROR 22007: Illegal non geometric '(select 1 from (select (1 = group_concat(`test`.`t1`.`f1` separator ',')) AS `1 IN (GROUP_CONCAT(t1.f1))` from `test`.`t1` join `test`.`t1` `t` group by `t`.`f1`) `d`)' value found during parsing
DROP TABLE t1;
End of 5.1 tests End of 5.1 tests
...@@ -734,4 +734,14 @@ EXECUTE stmt; ...@@ -734,4 +734,14 @@ EXECUTE stmt;
DEALLOCATE PREPARE stmt; DEALLOCATE PREPARE stmt;
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # Bug#57194 group_concat cause crash and/or invalid memory reads with type errors
--echo #
CREATE TABLE t1(f1 int);
INSERT INTO t1 values (0),(0);
--error ER_ILLEGAL_VALUE_FOR_TYPE
SELECT POLYGON((SELECT 1 FROM (SELECT 1 IN (GROUP_CONCAT(t1.f1)) FROM t1, t1 t GROUP BY t.f1 ) d));
DROP TABLE t1;
--echo End of 5.1 tests --echo End of 5.1 tests
...@@ -3401,8 +3401,6 @@ String* Item_func_group_concat::val_str(String* str) ...@@ -3401,8 +3401,6 @@ String* Item_func_group_concat::val_str(String* str)
void Item_func_group_concat::print(String *str, enum_query_type query_type) void Item_func_group_concat::print(String *str, enum_query_type query_type)
{ {
/* orig_args is not filled with valid values until fix_fields() */
Item **pargs= fixed ? orig_args : args;
str->append(STRING_WITH_LEN("group_concat(")); str->append(STRING_WITH_LEN("group_concat("));
if (distinct) if (distinct)
str->append(STRING_WITH_LEN("distinct ")); str->append(STRING_WITH_LEN("distinct "));
...@@ -3410,7 +3408,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type) ...@@ -3410,7 +3408,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type)
{ {
if (i) if (i)
str->append(','); str->append(',');
pargs[i]->print(str, query_type); orig_args[i]->print(str, query_type);
} }
if (arg_count_order) if (arg_count_order)
{ {
...@@ -3419,7 +3417,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type) ...@@ -3419,7 +3417,7 @@ void Item_func_group_concat::print(String *str, enum_query_type query_type)
{ {
if (i) if (i)
str->append(','); str->append(',');
pargs[i + arg_count_field]->print(str, query_type); orig_args[i + arg_count_field]->print(str, query_type);
if (order[i]->asc) if (order[i]->asc)
str->append(STRING_WITH_LEN(" ASC")); str->append(STRING_WITH_LEN(" ASC"));
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment