MDEV-24855 ER_CRASHED_ON_USAGE or Assertion `length <= column->length'

When creating a summary temporary table with bit fields used in the sum
expression with several parameters, like GROUP_CONCAT(), the counting of
bits needed in the record was wrong.

The reason we got an assert in Aria was because the bug caused a memory
overwrite in the record and Aria noticed that the data was 'impossible.

Author: montywi

mysql-test/main/group_by.result

@@ -2612,6 +2612,14 @@ v	2v,2v
 NULL	1c,2v,2v
 DROP TABLE t1,t2;
 #
+# MDEV-24855 ER_CRASHED_ON_USAGE or Assertion `length <= column->length'
+# failed in ma_blockrec.c
+#
+CREATE TABLE t1 (a BIT(5), c BINARY(179));
+INSERT INTO t1 VALUES (b'1100','foo'),(b'0','bar');
+SELECT c, GROUP_CONCAT(CASE NULL WHEN 0 THEN a END, CASE 'foo' WHEN c THEN 1 END) AS f FROM t1 GROUP BY ExtractValue('<a></a>', '/a'), UUID();
+DROP TABLE t1;
+#
 # MDEV-6129: Server crashes during UNION with ORDER BY field IS NULL
 #
 SET sql_mode='ONLY_FULL_GROUP_BY';

mysql-test/main/group_by.test

@@ -1716,6 +1716,18 @@ FROM t1 JOIN t2 ON c = b GROUP BY b WITH ROLLUP;
 
 DROP TABLE t1,t2;
 
+--echo #
+--echo # MDEV-24855 ER_CRASHED_ON_USAGE or Assertion `length <= column->length'
+--echo # failed in ma_blockrec.c
+--echo #
+
+CREATE TABLE t1 (a BIT(5), c BINARY(179));
+INSERT INTO t1 VALUES (b'1100','foo'),(b'0','bar');
+--disable_result_log
+SELECT c, GROUP_CONCAT(CASE NULL WHEN 0 THEN a END, CASE 'foo' WHEN c THEN 1 END) AS f FROM t1 GROUP BY ExtractValue('<a></a>', '/a'), UUID();
+--enable_result_log
+DROP TABLE t1;
+
 --echo #
 --echo # MDEV-6129: Server crashes during UNION with ORDER BY field IS NULL
 --echo #

sql/sql_select.cc

@@ -18504,9 +18504,9 @@ bool Create_tmp_table::add_fields(THD *thd,
       distinct_record_structure= true;
     }
   li.rewind();
-  uint uneven_delta= 0;
   while ((item=li++))
   {
+    uint uneven_delta;
     current_counter= (((param->hidden_field_count < (fieldnr + 1)) &&
                        distinct_record_structure &&
                        (!m_with_cycle ||
@@ -18569,8 +18569,8 @@ bool Create_tmp_table::add_fields(THD *thd,
 
           uneven_delta= m_uneven_bit_length;
           add_field(table, new_field, fieldnr++, param->force_not_null_cols);
-          uneven_delta= m_uneven_bit_length - uneven_delta;
           m_field_count[current_counter]++;
+          m_uneven_bit[current_counter]+= (m_uneven_bit_length - uneven_delta);
 
           if (!(new_field->flags & NOT_NULL_FLAG))
           {
@@ -18651,8 +18651,8 @@ bool Create_tmp_table::add_fields(THD *thd,
 
       uneven_delta= m_uneven_bit_length;
       add_field(table, new_field, fieldnr++, param->force_not_null_cols);
-      uneven_delta= m_uneven_bit_length - uneven_delta;
       m_field_count[current_counter]++;
+      m_uneven_bit[current_counter]+= (m_uneven_bit_length - uneven_delta);
 
       if (item->marker == 4 && item->maybe_null)
       {
@@ -18662,7 +18662,6 @@ bool Create_tmp_table::add_fields(THD *thd,
       if (current_counter == distinct)
         new_field->flags|= FIELD_PART_OF_TMP_UNIQUE;
     }
-    m_uneven_bit[current_counter]+= uneven_delta;
   }
   DBUG_ASSERT(fieldnr == m_field_count[other] + m_field_count[distinct]);
   DBUG_ASSERT(m_blob_count == m_blobs_count[other] + m_blobs_count[distinct]);
@@ -18821,7 +18820,6 @@ bool Create_tmp_table::finalize(THD *thd,
 
     if (!(field->flags & NOT_NULL_FLAG))
     {
-
       recinfo->null_bit= (uint8)1 << (null_counter[current_counter] & 7);
       recinfo->null_pos= (null_pack_base[current_counter] +
                           null_counter[current_counter]/8);