MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING

when resolving WHERE and ON clauses, do not look in SELECT list/aliases.

MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
when resolving WHERE and ON clauses, do not look in SELECT list/aliases.
0beed9b5 · Sergei Golubchik · 8c34eab9 · 0beed9b5 · 0beed9b5 · 0beed9b5
Commit 0beed9b5 authored Apr 29, 2022 by Sergei Golubchik
5 changed files
--- a/mysql-test/main/having.result
+++ b/mysql-test/main/having.result
@@ -279,11 +279,7 @@ select t1.col1 as tmp_col from t1
 where t1.col2 in 
 (select t2.col2 from t2 
 group by t2.col1, t2.col2 having tmp_col <= 10);
-tmp_col
-10
-10
-10
-10
+ERROR 42S22: Unknown column 'tmp_col' in 'having clause'
 select t1.col1 from t1
 where t1.col2 in 
 (select t2.col2 from t2 

--- a/mysql-test/main/having.test
+++ b/mysql-test/main/having.test
@@ -249,7 +249,8 @@ where t1.col2 in
       group by t2.col1, t2.col2 having t1.col1 <= 10);

 # the having column is resolved in the SELECT clause of the outer query -
-# error in ANSI, works with MySQL extension
+# error in ANSI
+--error ER_BAD_FIELD_ERROR
 select t1.col1 as tmp_col from t1
 where t1.col2 in 
      (select t2.col2 from t2 

--- a/mysql-test/main/subselect_innodb.result
+++ b/mysql-test/main/subselect_innodb.result
@@ -667,5 +667,17 @@ execute stmt;
 a	b
 drop table t1,t2;
 #
+# MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
+#
+create table t1 (a text(60) not null) engine=innodb;
+insert into t1 values ('1'),('0');
+select distinct a from t1 where '' in (select 'x' like a having a like a);
+a
+1
+0
+Warnings:
+Warning	1292	Truncated incorrect DOUBLE value: ''
+drop table t1;
+#
 # End of 10.4 tests
 #
--- a/mysql-test/main/subselect_innodb.test
+++ b/mysql-test/main/subselect_innodb.test
@@ -658,6 +658,14 @@ execute stmt;

 drop table t1,t2;

+--echo #
+--echo # MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
+--echo #
+create table t1 (a text(60) not null) engine=innodb;
+insert into t1 values ('1'),('0');
+select distinct a from t1 where '' in (select 'x' like a having a like a);
+drop table t1;
+
 --echo #
 --echo # End of 10.4 tests
 --echo #
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -8398,9 +8398,11 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
    thd->lex->which_check_option_applicable();
  bool save_is_item_list_lookup= select_lex->is_item_list_lookup;
  TABLE_LIST *derived= select_lex->master_unit()->derived;
+  bool save_resolve_in_select_list= select_lex->context.resolve_in_select_list;
  DBUG_ENTER("setup_conds");

  select_lex->is_item_list_lookup= 0;
+  select_lex->context.resolve_in_select_list= false;

  thd->column_usage= MARK_COLUMNS_READ;
  DBUG_PRINT("info", ("thd->column_usage: %d", thd->column_usage));
@@ -8453,6 +8455,7 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
    select_lex->where= *conds;
  }
  thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
+  select_lex->context.resolve_in_select_list= save_resolve_in_select_list;
  DBUG_RETURN(thd->is_error());

 err_no_arena: