MDEV-25346: JSON_TABLE: Server crashes in Item_field::fix_outer_field ...

mysql_derived_prepare() sets Name_resolution_context::outer_context=NULL
for the WHERE clause's context.
Do the same for all ON expressions, too.

Author: spetrunia

mysql-test/suite/json/r/json_table.result

@@ -704,6 +704,17 @@ RIGHT JOIN JSON_TABLE('[]', '$' COLUMNS(o3 FOR ORDINALITY)) AS jt3
 ON(1)
 WHERE 0;
 ERROR 42S22: Unknown column 'jt1.a' in 'JSON_TABLE argument'
+#
+# MDEV-25346: JSON_TABLE: Server crashes in Item_field::fix_outer_field upon subquery with unknown column
+#
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (b INT);
+SELECT * FROM ( SELECT * FROM t1 JOIN t2 ON (b IN(SELECT x FROM (SELECT 1 AS c) AS sq1))) AS sq2;
+ERROR 42S22: Unknown column 'x' in 'field list'
+DROP TABLE t1, t2;
+#
+# Another testcase
+#
 create table t1 (item_name varchar(32), item_props varchar(1024));
 insert into t1 values ('Jeans',  '{"color": ["green", "brown"], "price": 50}');
 insert into t1 values ('Shirt',  '{"color": ["blue", "white"], "price": 20}');

mysql-test/suite/json/t/json_table.test

@@ -601,6 +601,20 @@ JSON_TABLE('[]', '$' COLUMNS(a TEXT PATH '$[*]')) AS jt1
     ON(1)
 WHERE 0;
 
+--echo #
+--echo # MDEV-25346: JSON_TABLE: Server crashes in Item_field::fix_outer_field upon subquery with unknown column
+--echo #
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (b INT);
+
+--error ER_BAD_FIELD_ERROR
+SELECT * FROM ( SELECT * FROM t1 JOIN t2 ON (b IN(SELECT x FROM (SELECT 1 AS c) AS sq1))) AS sq2;
+
+DROP TABLE t1, t2;
+
+--echo #
+--echo # Another testcase
+--echo #
 create table t1 (item_name varchar(32), item_props varchar(1024));
 insert into t1 values ('Jeans',  '{"color": ["green", "brown"], "price": 50}');
 insert into t1 values ('Shirt',  '{"color": ["blue", "white"], "price": 20}');

sql/sql_derived.cc

@@ -23,6 +23,7 @@
 
 
 #include "mariadb.h"                         /* NO_EMBEDDED_ACCESS_CHECKS */
+#include <functional>
 #include "sql_priv.h"
 #include "unireg.h"
 #include "sql_derived.h"
@@ -760,7 +761,24 @@ bool mysql_derived_prepare(THD *thd, LEX *lex, TABLE_LIST *derived)
   /* prevent name resolving out of derived table */
   for (SELECT_LEX *sl= first_select; sl; sl= sl->next_select())
   {
+    // Prevent it for the WHERE clause
     sl->context.outer_context= 0;
+
+    // And for ON clauses, if there are any
+    std::function<void(List<TABLE_LIST>&)> reset_context=
+      [&](List<TABLE_LIST> &join_list)
+      {
+        List_iterator<TABLE_LIST> li(join_list);
+        while (TABLE_LIST *table= li++)
+        {
+          if (table->on_context)
+            table->on_context->outer_context= NULL;
+          if (table->nested_join)
+            reset_context(table->nested_join->join_list);
+        }
+      };
+    reset_context(*sl->join_list);
+
     if (!derived->is_with_table_recursive_reference() ||
         (!derived->with->with_anchor && 
          !derived->with->is_with_prepared_anchor()))