diff options
| author | Oleksandr Byelkin <sanja@mariadb.com> | 2022-05-04 19:51:26 +0200 |
|---|---|---|
| committer | Oleksandr Byelkin <sanja@mariadb.com> | 2022-05-06 10:00:08 +0200 |
| commit | 141ab971d8d31968ac7104e71801c6ec75638af3 (patch) | |
| tree | 71e0d84a9c9614e4a1de5e93fa54a56658d2774b | |
| parent | 624cb9735e737ca3392957e2db2171c2957cf282 (diff) | |
| download | mariadb-git-141ab971d8d31968ac7104e71801c6ec75638af3.tar.gz | |
MDEV-28402 ASAN heap-use-after-free in create_tmp_table, Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0'
Make default() function follow Item_field and use get_tmp_table_item() for
change_to_use_tmp_fields().
| -rw-r--r-- | mysql-test/r/default.result | 18 | ||||
| -rw-r--r-- | mysql-test/t/default.test | 17 | ||||
| -rw-r--r-- | sql/sql_select.cc | 8 |
3 files changed, 40 insertions, 3 deletions
diff --git a/mysql-test/r/default.result b/mysql-test/r/default.result index 0c91e6b7e08..1c792983638 100644 --- a/mysql-test/r/default.result +++ b/mysql-test/r/default.result @@ -3413,4 +3413,22 @@ SELECT 1 FROM t1 GROUP BY DEFAULT(pk); 1 1 DROP TABLE t1; +# +# MDEV-28402: ASAN heap-use-after-free in create_tmp_table, +# Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0' +# +CREATE TABLE t (a INT, KEY (a)); +INSERT INTO t VALUES (1),(2); +SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP; +DEFAULT(a) CASE a WHEN 0 THEN 1 ELSE 2 END +NULL 2 +DROP TABLE t; +CREATE TABLE t (a INT, KEY (a)); +INSERT INTO t VALUES (1),(2); +CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t; +SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP; +DEFAULT(a) CASE a WHEN 0 THEN 1 ELSE 2 END +NULL 2 +DROP TABLE t; +DROP VIEW v; # end of 10.2 test diff --git a/mysql-test/t/default.test b/mysql-test/t/default.test index e0233a3929a..3bc373d0313 100644 --- a/mysql-test/t/default.test +++ b/mysql-test/t/default.test @@ -2125,4 +2125,21 @@ CREATE TABLE t1 (pk varchar(36) DEFAULT uuid()); INSERT INTO t1 VALUES (),(); SELECT 1 FROM t1 GROUP BY DEFAULT(pk); DROP TABLE t1; + + +--echo # +--echo # MDEV-28402: ASAN heap-use-after-free in create_tmp_table, +--echo # Assertion `l_offset >= 0 && table->s->rec_buff_length - l_offset > 0' +--echo # +CREATE TABLE t (a INT, KEY (a)); +INSERT INTO t VALUES (1),(2); +SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM t GROUP BY a WITH ROLLUP; +DROP TABLE t; + +CREATE TABLE t (a INT, KEY (a)); +INSERT INTO t VALUES (1),(2); +CREATE ALGORITHM=TEMPTABLE VIEW v AS SELECT * FROM t; +SELECT DISTINCT DEFAULT(a), CASE a WHEN 0 THEN 1 ELSE 2 END FROM v GROUP BY a WITH ROLLUP; +DROP TABLE t; +DROP VIEW v; --echo # end of 10.2 test diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 82792bbc723..760730d799c 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -23727,12 +23727,14 @@ change_to_use_tmp_fields(THD *thd, Ref_ptr_array ref_pointer_array, for (uint i= 0; (item= it++); i++) { Field *field; - if ((item->with_sum_func && item->type() != Item::SUM_FUNC_ITEM) || + enum Item::Type item_type= item->type(); + if ((item->with_sum_func && item_type != Item::SUM_FUNC_ITEM) || item->with_window_func) item_field= item; - else if (item->type() == Item::FIELD_ITEM) + else if (item_type == Item::FIELD_ITEM || + item_type == Item::DEFAULT_VALUE_ITEM) item_field= item->get_tmp_table_item(thd); - else if (item->type() == Item::FUNC_ITEM && + else if (item_type == Item::FUNC_ITEM && ((Item_func*)item)->functype() == Item_func::SUSERVAR_FUNC) { field= item->get_tmp_table_field(); |