From 9b6ac73419256cf3c9554d8a782c4eaee6c6cf79 Mon Sep 17 00:00:00 2001 From: Chaithra Gopalareddy Date: Mon, 2 Nov 2015 16:30:57 +0530 Subject: [PATCH] Bug#20755389 SERVER CRASHES IN ITEM_FUNC_GROUP_CONCAT::FIX_FIELDS ON 2ND EXECUTION OF PS Description: ------------ When MySQL calls 'EXECUTE stmt' firstly to deal with ORDER BY clause which is similar with 'ORDER BY 1,(t2a.f2+1)' in find_order_in_list(), it believes the first expression is a position, the function replaces the pointer of the first expression with Item_field object associated with a temporary table field, then releases it after the end of the execution, that behavior destroys the pointer of first expression. After that, when MySQL calls 'EXECUTE stmt' once more, the first expression points to an invalid pointer, so it crashed. Fix: ---- If an item of ORDER clause is a location, reset 'args' with a original value. --- sql/item_sum.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sql/item_sum.cc b/sql/item_sum.cc index f491795c449..b63cbbd3c26 100644 --- a/sql/item_sum.cc +++ b/sql/item_sum.cc @@ -3184,7 +3184,9 @@ void Item_func_group_concat::cleanup() ORDER **order_ptr= order; for (uint i= 0; i < arg_count_order; i++) { - (*order_ptr)->item= &args[arg_count_field + i]; + + if ((*order_ptr)->counter_used) + args[arg_count_field + i]= (*order_ptr)->item_ptr; order_ptr++; } DBUG_VOID_RETURN;