Commit d3d6f4fd authored by Georgi Kodinov's avatar Georgi Kodinov

Bug #43354: Use key hint can crash server in explain extended query

      
The copy of the original arguments of a aggregate function was not
initialized until after fix_fields().
Sometimes (e.g. when there's an error processing the statement)
the print() can be called with no corresponding fix_fields() call.
      
Fixed by adding a check if the Item is fixed before using the arguments
copy.

mysql-test/r/explain.result:
  Bug #43354: test case
mysql-test/t/explain.test:
  Bug #43354: test case
sql/item_sum.cc:
  Bug #43354: use the argument list copy only if it's initialized
parent 0614532a
......@@ -155,3 +155,7 @@ id select_type table type possible_keys key key_len ref rows Extra
Warnings:
Note 1003 select 1 AS `1` from (select count(distinct `test`.`t1`.`a`) AS `COUNT(DISTINCT t1.a)` from `test`.`t1` join `test`.`t2` group by `test`.`t1`.`a`) `s1`
DROP TABLE t1,t2;
CREATE TABLE t1 (a INT PRIMARY KEY);
EXPLAIN EXTENDED SELECT COUNT(a) FROM t1 USE KEY(a);
ERROR HY000: Key 'a' doesn't exist in table 't1'
DROP TABLE t1;
......@@ -123,4 +123,17 @@ execute s1;
DROP TABLE t1,t2;
#
# Bug #43354: Use key hint can crash server in explain extended query
#
CREATE TABLE t1 (a INT PRIMARY KEY);
--error ER_KEY_DOES_NOT_EXITS
EXPLAIN EXTENDED SELECT COUNT(a) FROM t1 USE KEY(a);
DROP TABLE t1;
# End of 5.0 tests.
......@@ -440,7 +440,8 @@ void Item_sum::make_field(Send_field *tmp_field)
void Item_sum::print(String *str)
{
Item **pargs= orig_args;
/* orig_args is not filled with valid values until fix_fields() */
Item **pargs= fixed ? orig_args : args;
str->append(func_name());
for (uint i=0 ; i < arg_count ; i++)
{
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment