Fix for bug #35298: GROUP_CONCAT with DISTINCT can crash the server

The bug is a regression introduced by the patch for bug32798.

The code in Item_func_group_concat::clear() relied on the 'distinct'
variable to check if 'unique_filter' was initialized. That, however,
is not always valid because Item_func_group_concat::setup() can do
shortcuts in some cases w/o initializing 'unique_filter'.

Fixed by checking the value of 'unique_filter' instead of 'distinct'
before dereferencing.
parent 771d861c
...@@ -946,4 +946,30 @@ GROUP BY 1 ...@@ -946,4 +946,30 @@ GROUP BY 1
d1 d1
NULL NULL
DROP TABLE t1; DROP TABLE t1;
CREATE TABLE t1 (a INT);
CREATE TABLE t2 (a INT);
INSERT INTO t1 VALUES(1);
SELECT GROUP_CONCAT(DISTINCT t2.a) FROM t1 LEFT JOIN t2 ON t2.a = t1.a GROUP BY t1.a;
GROUP_CONCAT(DISTINCT t2.a)
NULL
DROP TABLE t1, t2;
CREATE TABLE t1 (a INT, KEY(a));
CREATE TABLE t2 (b INT);
INSERT INTO t1 VALUES (NULL), (8), (2);
INSERT INTO t2 VALUES (4), (10);
SELECT 1 FROM t1 WHERE t1.a NOT IN
(
SELECT GROUP_CONCAT(DISTINCT t1.a)
FROM t1 WHERE t1.a IN
(
SELECT b FROM t2
)
AND NOT t1.a >= (SELECT t1.a FROM t1 LIMIT 1)
GROUP BY t1.a
);
1
1
1
1
DROP TABLE t1, t2;
End of 5.0 tests End of 5.0 tests
...@@ -657,4 +657,40 @@ SELECT s1.d1 FROM ...@@ -657,4 +657,40 @@ SELECT s1.d1 FROM
) AS s1; ) AS s1;
DROP TABLE t1; DROP TABLE t1;
#
# Bug #35298: GROUP_CONCAT with DISTINCT can crash the server
#
CREATE TABLE t1 (a INT);
CREATE TABLE t2 (a INT);
INSERT INTO t1 VALUES(1);
SELECT GROUP_CONCAT(DISTINCT t2.a) FROM t1 LEFT JOIN t2 ON t2.a = t1.a GROUP BY t1.a;
DROP TABLE t1, t2;
#
# Bug #36024: group_concat distinct in subquery crash
#
CREATE TABLE t1 (a INT, KEY(a));
CREATE TABLE t2 (b INT);
INSERT INTO t1 VALUES (NULL), (8), (2);
INSERT INTO t2 VALUES (4), (10);
SELECT 1 FROM t1 WHERE t1.a NOT IN
(
SELECT GROUP_CONCAT(DISTINCT t1.a)
FROM t1 WHERE t1.a IN
(
SELECT b FROM t2
)
AND NOT t1.a >= (SELECT t1.a FROM t1 LIMIT 1)
GROUP BY t1.a
);
DROP TABLE t1, t2;
--echo End of 5.0 tests --echo End of 5.0 tests
...@@ -3222,7 +3222,7 @@ void Item_func_group_concat::clear() ...@@ -3222,7 +3222,7 @@ void Item_func_group_concat::clear()
no_appended= TRUE; no_appended= TRUE;
if (tree) if (tree)
reset_tree(tree); reset_tree(tree);
if (distinct) if (unique_filter)
unique_filter->reset(); unique_filter->reset();
/* No need to reset the table as we never call write_row */ /* No need to reset the table as we never call write_row */
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment