MDEV-7821 Server crashes in Item_func_group_concat::fix_fields on 2nd…

… execution of PS Correct fix for this bug. The problem was that Item_func_group_concat() was calling setup_order(), passing args as the second argument, ref_pointer_array. While ref_pointer_array should have free space at the end, as setup_order() can append elements to it. In this particular case args[] elements were overwritten when setup_order() was pushing new elements into ref_pointer_array.
MariaDB · Jul 31, 2015 · 96badb1 · 96badb1
1 parent 409709e
commit 96badb1
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
@@ -3300,16 +3300,13 @@ void Item_func_group_concat::cleanup()
     from Item_func_group_concat::setup() to point to runtime
     created objects, we need to reset them back to the original
     arguments of the function.
-
-    The very same applies to args array.
   */
   ORDER **order_ptr= order;
   for (uint i= 0; i < arg_count_order; i++)
   {
     (*order_ptr)->item= &args[arg_count_field + i];
     order_ptr++;
   }
-  memcpy(args, orig_args, sizeof(Item *) * arg_count);
   DBUG_VOID_RETURN;
 }
 
@@ -3517,9 +3514,16 @@ bool Item_func_group_concat::setup(THD *thd)
     "all_fields". The resulting field list is used as input to create
     tmp table columns.
   */
-  if (arg_count_order &&
-      setup_order(thd, args, context->table_list, list, all_fields, *order))
-    DBUG_RETURN(TRUE);
+  if (arg_count_order)
+  {
+    uint n_elems= arg_count_order + all_fields.elements;
+    ref_pointer_array= static_cast<Item**>(thd->alloc(sizeof(Item*) * n_elems));
+    memcpy(ref_pointer_array, args, arg_count * sizeof(Item*));
+    if (!ref_pointer_array ||
+        setup_order(thd, ref_pointer_array, context->table_list, list,
+                    all_fields, *order))
+      DBUG_RETURN(TRUE);
+  }
 
   count_field_types(select_lex, tmp_table_param, all_fields, 0);
   tmp_table_param->force_copy_fields= force_copy_fields;

diff --git a/sql/item_sum.h b/sql/item_sum.h
@@ -1394,6 +1394,7 @@ class Item_func_group_concat : public Item_sum
   String *separator;
   TREE tree_base;
   TREE *tree;
+  Item **ref_pointer_array;
 
   /**
      If DISTINCT is used with this GROUP_CONCAT, this member is used to filter