MDEV-19350 Server crashes in delete_tree_element / ... / Item_func_group_concat::repack_tree

vuvova · vuvova · commit d88dfd873232 · 2019-04-27T19:38:39.000+02:00
Item_func_group_concat stores values in `tree`, which is often, but not
always the same as `&amp;tree_base`.
diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result
@@ -1207,3 +1207,22 @@ c
 Warnings:
 Warning	1260	Row 15 was cut by GROUP_CONCAT()
 set max_session_mem_used=default;
+SET group_concat_max_len= 8;
+CREATE TABLE t1 (a INT);
+INSERT t1 VALUES (1),(2);
+CREATE TABLE t2 (b DATE, c INT);
+INSERT t2 VALUES ('2019-12-04',1),('2020-03-28',2);
+CREATE TABLE t3 (d INT);
+INSERT t3 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14);
+CREATE TABLE t4 (e INT);
+INSERT t4 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15);
+SELECT (SELECT MAX(a) FROM t1 WHERE t2_sq.c > 0) AS f,
+GROUP_CONCAT(t2_sq.b ORDER BY 1) AS gc
+FROM (SELECT t2_a.* FROM t2 AS t2_a, t2 AS t2_b) AS t2_sq, t3, t4
+GROUP BY f;
+f	gc
+2	2019-12-
+Warnings:
+Warning	1260	Row 1 was cut by GROUP_CONCAT()
+DROP TABLE t1, t2, t3, t4;
+SET group_concat_max_len= default;
diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test
@@ -879,3 +879,22 @@ set max_session_mem_used=16*1024*1024; # 8M..32M
 SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c
 FROM seq_1_to_200000;
 set max_session_mem_used=default;
+
+#
+# MDEV-19350 Server crashes in delete_tree_element / ... / Item_func_group_concat::repack_tree
+#
+SET group_concat_max_len= 8;
+CREATE TABLE t1 (a INT);
+INSERT t1 VALUES (1),(2);
+CREATE TABLE t2 (b DATE, c INT);
+INSERT t2 VALUES ('2019-12-04',1),('2020-03-28',2);
+CREATE TABLE t3 (d INT);
+INSERT t3 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14);
+CREATE TABLE t4 (e INT);
+INSERT t4 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15);
+SELECT (SELECT MAX(a) FROM t1 WHERE t2_sq.c > 0) AS f,
+       GROUP_CONCAT(t2_sq.b ORDER BY 1) AS gc
+FROM (SELECT t2_a.* FROM t2 AS t2_a, t2 AS t2_b) AS t2_sq, t3, t4
+GROUP BY f;
+DROP TABLE t1, t2, t3, t4;
+SET group_concat_max_len= default;
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
@@ -3345,8 +3345,8 @@ bool Item_func_group_concat::repack_tree(THD *thd)
     delete_tree(&st.tree);
     return 1;
   }
-  delete_tree(&tree_base);
-  tree_base= st.tree;
+  delete_tree(tree);
+  *tree= st.tree;
   tree_len= st.len;
   return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -3345,8 +3345,8 @@ bool Item_func_group_concat::repack_tree(THD *thd)`
`3345`	`3345`	`delete_tree(&st.tree);`
`3346`	`3346`	`return 1;`
`3347`	`3347`	`}`
`3348`		`- delete_tree(&tree_base);`
`3349`		`- tree_base= st.tree;`
	`3348`	`+ delete_tree(tree);`
	`3349`	`+ *tree= st.tree;`
`3350`	`3350`	`tree_len= st.len;`
`3351`	`3351`	`return 0;`
`3352`	`3352`	`}`