MDEV-28616 Crash when using derived table over union with order by clause

This bug manifested itself when the server processed a query containing
a derived table over union whose ORDER BY clause included a subquery
with unresolvable column reference. For such a query the server crashed
when trying to resolve column references in the ORDER BY clause used by
union.
For any union with ORDER BY clause an extra SELECT_LEX structure is created
and it is attached to SELECT_LEX_UNIT structure of the union via the field
fake_select_lex. The outer context for fake_select_lex must be the same as
for other selects of the union. If the union is used in the FROM list of
a derived table then the outer context for fake_select_lex must be set to
NULL in line with other selects of the union. It was not done and it
caused a crash when searching for possible resolution of an unresolvable
column reference occurred in a subquery used in the ORDER BY clause.

Approved by Oleksandr Byelkin <sanja@mariadb.com>

Author: igorbabaev

mysql-test/main/derived.result

@@ -1327,5 +1327,28 @@ a	b
 DROP VIEW v1;
 DROP TABLE t1;
 #
+# MDEV-28616: derived table over union with order by clause that
+#             contains subquery with unresolvable column reference
+#
+SELECT 1 FROM (
+SELECT 1 UNION SELECT 2 ORDER BY  (SELECT 1 FROM DUAL WHERE xxx = 0)
+) dt;
+ERROR 42S22: Unknown column 'xxx' in 'where clause'
+create table t1 (a int, b int);
+insert into t1 values (3,8), (7,2), (1,4), (5,9);
+create table t2 (a int, b int);
+insert into t2 values (9,1), (7,3), (2,6);
+create table t3 (c int, d int);
+insert into t3 values (7,8), (1,2), (3,8);
+select * from
+(
+select a,b from t1 where t1.a > 3
+union
+select a,b from t2 where t2.b < 6
+order by (a - b / (select a + max(c) from t3  where d = x))
+) dt;
+ERROR 42S22: Unknown column 'x' in 'where clause'
+drop table t1,t2,t3;
+#
 # End of 10.3 tests
 #

mysql-test/main/derived.test

@@ -1137,6 +1137,36 @@ SELECT * FROM v1 WHERE b > 0;
 DROP VIEW v1;
 DROP TABLE t1;
 
+--echo #
+--echo # MDEV-28616: derived table over union with order by clause that
+--echo #             contains subquery with unresolvable column reference
+--echo #
+
+--error ER_BAD_FIELD_ERROR
+SELECT 1 FROM (
+  SELECT 1 UNION SELECT 2 ORDER BY  (SELECT 1 FROM DUAL WHERE xxx = 0)
+) dt;
+
+create table t1 (a int, b int);
+insert into t1 values (3,8), (7,2), (1,4), (5,9);
+
+create table t2 (a int, b int);
+insert into t2 values (9,1), (7,3), (2,6);
+
+create table t3 (c int, d int);
+insert into t3 values (7,8), (1,2), (3,8);
+
+--error ER_BAD_FIELD_ERROR
+select * from
+(
+  select a,b from t1 where t1.a > 3
+  union
+  select a,b from t2 where t2.b < 6
+  order by (a - b / (select a + max(c) from t3  where d = x))
+) dt;
+
+drop table t1,t2,t3;
+
 --echo #
 --echo # End of 10.3 tests
 --echo #

sql/sql_derived.cc

@@ -771,6 +771,9 @@ bool mysql_derived_prepare(THD *thd, LEX *lex, TABLE_LIST *derived)
         cursor->outer_join|= JOIN_TYPE_OUTER;
     }
   }
+  // Prevent it for possible ORDER BY clause
+  if (unit->fake_select_lex)
+    unit->fake_select_lex->context.outer_context= 0;
 
   /*
     Above cascade call of prepare is important for PS protocol, but after it