MDEV-7821 - Server crashes in Item_func_group_concat::fix_fields on 2nd

execution of PS GROUP_CONCAT() with ORDER BY column position may crash server on PS reexecution. The problem was that arguments array of GROUP_CONCAT() was adjusted to point to temporary elements (resolved ORDER BY fields) during first execution. This patch expands rev. 08763096cb to restore original arguments array as well.
author: Sergey Vojtovich <svoj@mariadb.org> 2015-07-30 18:51:44 +0400
committer: Sergey Vojtovich <svoj@mariadb.org> 2015-07-31 13:05:10 +0400
commit: 1ad294e06430d9fa2dd7e4dd84ffd7909aff0ca5 (patch)
tree: 290968af678809c0b1702efa731ea78ae44654cb /sql/item_sum.cc
parent: fa765a45250176d1168ce5a61dee484c997604b6 (diff)
download: mariadb-git-1ad294e06430d9fa2dd7e4dd84ffd7909aff0ca5.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index d8970ca26b5..a24307b131b 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -3300,6 +3300,8 @@ void Item_func_group_concat::cleanup()
     from Item_func_group_concat::setup() to point to runtime
     created objects, we need to reset them back to the original
     arguments of the function.
+
+    The very same applies to args array.
   */
   ORDER **order_ptr= order;
   for (uint i= 0; i < arg_count_order; i++)
@@ -3307,6 +3309,7 @@ void Item_func_group_concat::cleanup()
     (*order_ptr)->item= &args[arg_count_field + i];
     order_ptr++;
   }
+  memcpy(args, orig_args, sizeof(Item *) * arg_count);
   DBUG_VOID_RETURN;
 }
author	Sergey Vojtovich <svoj@mariadb.org>	2015-07-30 18:51:44 +0400
committer	Sergey Vojtovich <svoj@mariadb.org>	2015-07-31 13:05:10 +0400
commit	1ad294e06430d9fa2dd7e4dd84ffd7909aff0ca5 (patch)
tree	290968af678809c0b1702efa731ea78ae44654cb /sql/item_sum.cc
parent	fa765a45250176d1168ce5a61dee484c997604b6 (diff)
download	mariadb-git-1ad294e06430d9fa2dd7e4dd84ffd7909aff0ca5.tar.gz