Fix for bug #35298: GROUP_CONCAT with DISTINCT can crash the server
The bug is a regression introduced by the patch for bug32798. The code in Item_func_group_concat::clear() relied on the 'distinct' variable to check if 'unique_filter' was initialized. That, however, is not always valid because Item_func_group_concat::setup() can do shortcuts in some cases w/o initializing 'unique_filter'. Fixed by checking the value of 'unique_filter' instead of 'distinct' before dereferencing. mysql-test/r/func_gconcat.result: Added test cases for bugs #35298 and #36024. mysql-test/t/func_gconcat.test: Added test cases for bugs #35298 and #36024. sql/item_sum.cc: Check if unique_filter != NULL before dereferencing it. Non-zero value of distinct does not always mean that unique_filter is initialized because Item_func_group_concat::setup() can do shortcuts is some cases
This commit is contained in:
parent
cf2b2cc506
commit
1a68ec2809
@ -946,4 +946,30 @@ GROUP BY 1
|
|||||||
d1
|
d1
|
||||||
NULL
|
NULL
|
||||||
DROP TABLE t1;
|
DROP TABLE t1;
|
||||||
|
CREATE TABLE t1 (a INT);
|
||||||
|
CREATE TABLE t2 (a INT);
|
||||||
|
INSERT INTO t1 VALUES(1);
|
||||||
|
SELECT GROUP_CONCAT(DISTINCT t2.a) FROM t1 LEFT JOIN t2 ON t2.a = t1.a GROUP BY t1.a;
|
||||||
|
GROUP_CONCAT(DISTINCT t2.a)
|
||||||
|
NULL
|
||||||
|
DROP TABLE t1, t2;
|
||||||
|
CREATE TABLE t1 (a INT, KEY(a));
|
||||||
|
CREATE TABLE t2 (b INT);
|
||||||
|
INSERT INTO t1 VALUES (NULL), (8), (2);
|
||||||
|
INSERT INTO t2 VALUES (4), (10);
|
||||||
|
SELECT 1 FROM t1 WHERE t1.a NOT IN
|
||||||
|
(
|
||||||
|
SELECT GROUP_CONCAT(DISTINCT t1.a)
|
||||||
|
FROM t1 WHERE t1.a IN
|
||||||
|
(
|
||||||
|
SELECT b FROM t2
|
||||||
|
)
|
||||||
|
AND NOT t1.a >= (SELECT t1.a FROM t1 LIMIT 1)
|
||||||
|
GROUP BY t1.a
|
||||||
|
);
|
||||||
|
1
|
||||||
|
1
|
||||||
|
1
|
||||||
|
1
|
||||||
|
DROP TABLE t1, t2;
|
||||||
End of 5.0 tests
|
End of 5.0 tests
|
||||||
|
@ -657,4 +657,40 @@ SELECT s1.d1 FROM
|
|||||||
) AS s1;
|
) AS s1;
|
||||||
DROP TABLE t1;
|
DROP TABLE t1;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Bug #35298: GROUP_CONCAT with DISTINCT can crash the server
|
||||||
|
#
|
||||||
|
|
||||||
|
CREATE TABLE t1 (a INT);
|
||||||
|
CREATE TABLE t2 (a INT);
|
||||||
|
|
||||||
|
INSERT INTO t1 VALUES(1);
|
||||||
|
|
||||||
|
SELECT GROUP_CONCAT(DISTINCT t2.a) FROM t1 LEFT JOIN t2 ON t2.a = t1.a GROUP BY t1.a;
|
||||||
|
|
||||||
|
DROP TABLE t1, t2;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Bug #36024: group_concat distinct in subquery crash
|
||||||
|
#
|
||||||
|
|
||||||
|
CREATE TABLE t1 (a INT, KEY(a));
|
||||||
|
CREATE TABLE t2 (b INT);
|
||||||
|
|
||||||
|
INSERT INTO t1 VALUES (NULL), (8), (2);
|
||||||
|
INSERT INTO t2 VALUES (4), (10);
|
||||||
|
|
||||||
|
SELECT 1 FROM t1 WHERE t1.a NOT IN
|
||||||
|
(
|
||||||
|
SELECT GROUP_CONCAT(DISTINCT t1.a)
|
||||||
|
FROM t1 WHERE t1.a IN
|
||||||
|
(
|
||||||
|
SELECT b FROM t2
|
||||||
|
)
|
||||||
|
AND NOT t1.a >= (SELECT t1.a FROM t1 LIMIT 1)
|
||||||
|
GROUP BY t1.a
|
||||||
|
);
|
||||||
|
|
||||||
|
DROP TABLE t1, t2;
|
||||||
|
|
||||||
--echo End of 5.0 tests
|
--echo End of 5.0 tests
|
||||||
|
@ -3222,7 +3222,7 @@ void Item_func_group_concat::clear()
|
|||||||
no_appended= TRUE;
|
no_appended= TRUE;
|
||||||
if (tree)
|
if (tree)
|
||||||
reset_tree(tree);
|
reset_tree(tree);
|
||||||
if (distinct)
|
if (unique_filter)
|
||||||
unique_filter->reset();
|
unique_filter->reset();
|
||||||
/* No need to reset the table as we never call write_row */
|
/* No need to reset the table as we never call write_row */
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user