MDEV-26412 Server crash in Item_field::fix_outer_field for INSERT SELECT

IF an INSERT/REPLACE SELECT statement contained an ON expression in the top
level select and this expression used a subquery with a column reference
that could not be resolved then an attempt to resolve this reference as
an outer reference caused a crash of the server. This happened because the
outer context field in the Name_resolution_context structure was not set
to NULL for such references. Rather it pointed to the first element in
the select_stack.

Note that starting from 10.4 we cannot use the SELECT_LEX::outer_select()
method when parsing a SELECT construct.

Approved by Oleksandr Byelkin <sanja@mariadb.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/sql/sql_lex.h b/sql/sql_lex.h
index 044eb425f71..3e35d16d355 100644
--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -3246,6 +3246,12 @@ public:
   List<Name_resolution_context> context_stack;
   SELECT_LEX *select_stack[MAX_SELECT_NESTING + 1];
   uint select_stack_top;
+  /*
+    Usually this is set to 0, but for INSERT/REPLACE SELECT it is set to 1.
+    When parsing such statements the pointer to the most outer select is placed
+    into the second element of select_stack rather than into the first.
+  */
+  uint select_stack_outer_barrier;
 
   SQL_I_List<ORDER> proc_list;
   SQL_I_List<TABLE_LIST> auxiliary_table_list, save_list;
@@ -3686,6 +3692,17 @@ public:
 
   bool copy_db_to(LEX_CSTRING *to);
 
+  void inc_select_stack_outer_barrier()
+  {
+    select_stack_outer_barrier++;
+  }
+
+  SELECT_LEX *parser_current_outer_select()
+  {
+    return select_stack_top - 1 == select_stack_outer_barrier ?
+             0 : select_stack[select_stack_top - 1];
+  }
+
   Name_resolution_context *current_context()
   {
     return context_stack.head();