MDEV-19350 Server crashes in delete_tree_element / ... / Item_func_gr…

…oup_concat::repack_tree Item_func_group_concat stores values in `tree`, which is often, but not always the same as `&tree_base`.
MariaDB · Apr 27, 2019 · d88dfd8 · d88dfd8
1 parent 3fe3857
commit d88dfd8
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 2 deletions.
diff --git a/mysql-test/r/func_gconcat.result b/mysql-test/r/func_gconcat.result
@@ -1207,3 +1207,22 @@ c
 Warnings:
 Warning	1260	Row 15 was cut by GROUP_CONCAT()
 set max_session_mem_used=default;
+SET group_concat_max_len= 8;
+CREATE TABLE t1 (a INT);
+INSERT t1 VALUES (1),(2);
+CREATE TABLE t2 (b DATE, c INT);
+INSERT t2 VALUES ('2019-12-04',1),('2020-03-28',2);
+CREATE TABLE t3 (d INT);
+INSERT t3 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14);
+CREATE TABLE t4 (e INT);
+INSERT t4 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15);
+SELECT (SELECT MAX(a) FROM t1 WHERE t2_sq.c > 0) AS f,
+GROUP_CONCAT(t2_sq.b ORDER BY 1) AS gc
+FROM (SELECT t2_a.* FROM t2 AS t2_a, t2 AS t2_b) AS t2_sq, t3, t4
+GROUP BY f;
+f	gc
+2	2019-12-
+Warnings:
+Warning	1260	Row 1 was cut by GROUP_CONCAT()
+DROP TABLE t1, t2, t3, t4;
+SET group_concat_max_len= default;
diff --git a/mysql-test/t/func_gconcat.test b/mysql-test/t/func_gconcat.test
@@ -879,3 +879,22 @@ set max_session_mem_used=16*1024*1024; # 8M..32M
 SELECT GROUP_CONCAT(concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1), concat(seq/1.1) ORDER BY 2,1,3,4,6,5,8,7) AS c
 FROM seq_1_to_200000;
 set max_session_mem_used=default;
+
+#
+# MDEV-19350 Server crashes in delete_tree_element / ... / Item_func_group_concat::repack_tree
+#
+SET group_concat_max_len= 8;
+CREATE TABLE t1 (a INT);
+INSERT t1 VALUES (1),(2);
+CREATE TABLE t2 (b DATE, c INT);
+INSERT t2 VALUES ('2019-12-04',1),('2020-03-28',2);
+CREATE TABLE t3 (d INT);
+INSERT t3 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14);
+CREATE TABLE t4 (e INT);
+INSERT t4 VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15);
+SELECT (SELECT MAX(a) FROM t1 WHERE t2_sq.c > 0) AS f,
+       GROUP_CONCAT(t2_sq.b ORDER BY 1) AS gc
+FROM (SELECT t2_a.* FROM t2 AS t2_a, t2 AS t2_b) AS t2_sq, t3, t4
+GROUP BY f;
+DROP TABLE t1, t2, t3, t4;
+SET group_concat_max_len= default;
diff --git a/sql/item_sum.cc b/sql/item_sum.cc
@@ -3345,8 +3345,8 @@ bool Item_func_group_concat::repack_tree(THD *thd)
     delete_tree(&st.tree);
     return 1;
   }
-  delete_tree(&tree_base);
-  tree_base= st.tree;
+  delete_tree(tree);
+  *tree= st.tree;
   tree_len= st.len;
   return 0;
 }