MDEV-28097 use-after-free when WHERE has subquery with an outer refer…

…ence in HAVING when resolving WHERE and ON clauses, do not look in SELECT list/aliases.
MariaDB · Apr 29, 2022 · 0beed9b · 0beed9b
1 parent 8c34eab
commit 0beed9b
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 6 deletions.
diff --git a/mysql-test/main/having.result b/mysql-test/main/having.result
@@ -279,11 +279,7 @@ select t1.col1 as tmp_col from t1
 where t1.col2 in 
 (select t2.col2 from t2 
 group by t2.col1, t2.col2 having tmp_col <= 10);
-tmp_col
-10
-10
-10
-10
+ERROR 42S22: Unknown column 'tmp_col' in 'having clause'
 select t1.col1 from t1
 where t1.col2 in 
 (select t2.col2 from t2 

diff --git a/mysql-test/main/having.test b/mysql-test/main/having.test
@@ -249,7 +249,8 @@ where t1.col2 in
        group by t2.col1, t2.col2 having t1.col1 <= 10);
 
 # the having column is resolved in the SELECT clause of the outer query -
-# error in ANSI, works with MySQL extension
+# error in ANSI
+--error ER_BAD_FIELD_ERROR
 select t1.col1 as tmp_col from t1
 where t1.col2 in 
       (select t2.col2 from t2 

diff --git a/mysql-test/main/subselect_innodb.result b/mysql-test/main/subselect_innodb.result
@@ -667,5 +667,17 @@ execute stmt;
 a	b
 drop table t1,t2;
 #
+# MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
+#
+create table t1 (a text(60) not null) engine=innodb;
+insert into t1 values ('1'),('0');
+select distinct a from t1 where '' in (select 'x' like a having a like a);
+a
+1
+0
+Warnings:
+Warning	1292	Truncated incorrect DOUBLE value: ''
+drop table t1;
+#
 # End of 10.4 tests
 #
diff --git a/mysql-test/main/subselect_innodb.test b/mysql-test/main/subselect_innodb.test
@@ -658,6 +658,14 @@ execute stmt;
 
 drop table t1,t2;
 
+--echo #
+--echo # MDEV-28097 use-after-free when WHERE has subquery with an outer reference in HAVING
+--echo #
+create table t1 (a text(60) not null) engine=innodb;
+insert into t1 values ('1'),('0');
+select distinct a from t1 where '' in (select 'x' like a having a like a);
+drop table t1;
+
 --echo #
 --echo # End of 10.4 tests
 --echo #
diff --git a/sql/sql_base.cc b/sql/sql_base.cc
@@ -8398,9 +8398,11 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
     thd->lex->which_check_option_applicable();
   bool save_is_item_list_lookup= select_lex->is_item_list_lookup;
   TABLE_LIST *derived= select_lex->master_unit()->derived;
+  bool save_resolve_in_select_list= select_lex->context.resolve_in_select_list;
   DBUG_ENTER("setup_conds");
 
   select_lex->is_item_list_lookup= 0;
+  select_lex->context.resolve_in_select_list= false;
 
   thd->column_usage= MARK_COLUMNS_READ;
   DBUG_PRINT("info", ("thd->column_usage: %d", thd->column_usage));
@@ -8453,6 +8455,7 @@ int setup_conds(THD *thd, TABLE_LIST *tables, List<TABLE_LIST> &leaves,
     select_lex->where= *conds;
   }
   thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup;
+  select_lex->context.resolve_in_select_list= save_resolve_in_select_list;
   DBUG_RETURN(thd->is_error());
 
 err_no_arena: