From 2419ef962f0e1003641c488d4b6ca1c7b59f1025 Mon Sep 17 00:00:00 2001
From: Sergey Petrunya <psergey@askmonty.org>
Date: Sun, 21 Feb 2010 05:36:18 +0200
Subject: * Better self-recursion protection in Item_subselect::fix_fields.  
 Don't go into branch that calls upper_refs.empty() more than once per  
 PREPARE or EXECUTE * Avoid crashing when processing references to outside
 from subquery's HAVING   (will explain in more details in email)

sql/item.h:
  * Avoid crashing when processing references to outside from subquery's HAVING
    (will explain in more details in email)
sql/item_subselect.cc:
  * Better self-recursion protection in Item_subselect::fix_fields.
    Don't go into branch that calls upper_refs.empty() more than once per
    PREPARE or EXECUTE
---
 sql/item_subselect.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sql/item_subselect.cc')

diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc
index 122a3f70db4..61e72bc6ccc 100644
--- a/sql/item_subselect.cc
+++ b/sql/item_subselect.cc
@@ -186,7 +186,6 @@ bool Item_subselect::fix_fields(THD *thd_param, Item **ref)
   changed= 1;
   inside_first_fix_fields= FALSE;
 
-    done_first_fix_fields= FALSE;
 
   if (!res)
   {
@@ -218,12 +217,14 @@ bool Item_subselect::fix_fields(THD *thd_param, Item **ref)
       if (!(*ref)->fixed)
 	ret= (*ref)->fix_fields(thd, ref);
       thd->where= save_where;
+  done_first_fix_fields= FALSE;
       return ret;
     }
     // Is it one field subselect?
     if (engine->cols() > max_columns)
     {
       my_error(ER_OPERAND_COLUMNS, MYF(0), 1);
+  done_first_fix_fields= FALSE;
       return TRUE;
     }
     fix_length_and_dec();
@@ -240,6 +241,7 @@ bool Item_subselect::fix_fields(THD *thd_param, Item **ref)
   fixed= 1;
 
 err:
+  done_first_fix_fields= FALSE;
   thd->where= save_where;
   return res;
 }
@@ -282,6 +284,7 @@ bool Item_subselect::mark_as_dependent(THD *thd, st_select_lex *select,
   return FALSE;
 }
 
+
 /*
   Adjust attributes after our parent select has been merged into grandparent
 
@@ -310,6 +313,7 @@ void Item_subselect::fix_after_pullout(st_select_lex *new_parent, Item **ref)
   parent_select= new_parent;
 }
 
+
 class Field_fixer: public Field_enumerator
 {
 public:
-- 
cgit v1.2.1