From 011eb3dffe068db46ea4144eee242a4f2b203cf8 Mon Sep 17 00:00:00 2001
From: unknown <ramil/ram@mysql.com/ramil.myoffice.izhnet.ru>
Date: Sat, 17 Nov 2007 11:20:50 +0400
Subject: [PATCH] Fix for bug #32260: User variables in query cause server
 crash

Problem: there's no guarantee that the user variable item's result_field
is assigned when we're adjusting its table read map.

Fix: check the result_field before using it.


mysql-test/r/user_var.result:
  Fix for bug #32260: User variables in query cause server crash
    - test result.
mysql-test/t/user_var.test:
  Fix for bug #32260: User variables in query cause server crash
    - test case.
sql/item_func.cc:
  Fix for bug #32260: User variables in query cause server crash
    - using the result_field ensure it is set.
---
 mysql-test/r/user_var.result | 11 +++++++++++
 mysql-test/t/user_var.test   | 21 +++++++++++++++++++++
 sql/item_func.cc             |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result
index 6fd7b39f226..431134b03c7 100644
--- a/mysql-test/r/user_var.result
+++ b/mysql-test/r/user_var.result
@@ -353,3 +353,14 @@ select @a:=f4, count(f4) from t1 group by 1 desc;
 2.6	1
 1.6	4
 drop table t1;
+create table t1(a int);
+insert into t1 values(5),(4),(4),(3),(2),(2),(2),(1);
+set @rownum := 0;
+set @rank := 0;
+set @prev_score := NULL;
+select @rownum := @rownum + 1 as row,
+@rank := IF(@prev_score!=a, @rownum, @rank) as rank,
+@prev_score := a as score
+from t1 order by score desc;
+drop table t1;
+End of 5.1 tests
diff --git a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test
index 3a3e8f88f83..a2f12bb495c 100644
--- a/mysql-test/t/user_var.test
+++ b/mysql-test/t/user_var.test
@@ -237,3 +237,24 @@ select @a:=f2, count(f2) from t1 group by 1 desc;
 select @a:=f3, count(f3) from t1 group by 1 desc;
 select @a:=f4, count(f4) from t1 group by 1 desc;
 drop table t1;
+
+#
+# Bug #32260: User variables in query cause server crash
+#
+create table t1(a int);
+insert into t1 values(5),(4),(4),(3),(2),(2),(2),(1);
+set @rownum := 0;
+set @rank := 0;
+set @prev_score := NULL;
+# Disable the result log as we assign a value to a user variable in one part 
+# of a statement and use the same variable in other part of the same statement,
+# so we can get unexpected results.
+--disable_result_log
+select @rownum := @rownum + 1 as row,
+ @rank := IF(@prev_score!=a, @rownum, @rank) as rank,
+ @prev_score := a as score
+from t1 order by score desc;
+--enable_result_log
+drop table t1;
+
+--echo End of 5.1 tests
diff --git a/sql/item_func.cc b/sql/item_func.cc
index ec0ecc89394..0b98d5c77dc 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -3842,7 +3842,8 @@ Item_func_set_user_var::fix_length_and_dec()
 bool Item_func_set_user_var::register_field_in_read_map(uchar *arg)
 {
   TABLE *table= (TABLE *) arg;
-  if (result_field->table == table || !table)
+  if (result_field &&
+      (!table || result_field->table == table))
     bitmap_set_bit(result_field->table->read_set, result_field->field_index);
   return 0;
 }