From c0977073e18d070810c20026defc63794154e288 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Fri, 3 Oct 2014 23:04:25 +0200
Subject: [PATCH] MDEV-6743 crash in GROUP_CONCAT(IF () ORDER BY 1)

backport the new fix from 10.0
---
 sql/item_sum.cc   | 12 ------------
 sql/sql_select.cc |  2 +-
 2 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/sql/item_sum.cc b/sql/item_sum.cc
index d6ecba4a754..27456a94543 100644
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -3295,18 +3295,6 @@ void Item_func_group_concat::cleanup()
     DBUG_ASSERT(tree == 0);
   }
 
-  /*
-    For prepared statements we have to restore pointers for ORDER BY as
-    they may point to areas that are freed at cleanup().
-  */
-  if (!current_thd->stmt_arena->is_conventional() && arg_count_order)
-  {
-    memcpy(args + arg_count_field, orig_args + arg_count_field,
-           sizeof(Item*) * arg_count_order);
-
-    for (uint i= 0 ; i < arg_count_order ; i++)
-      order[i]->item = args + arg_count_field + i;
-  }
   DBUG_VOID_RETURN;
 }
 
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 1b57cb24308..af2b489c8b6 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -20425,7 +20425,7 @@ find_order_in_list(THD *thd, Item **ref_pointer_array, TABLE_LIST *tables,
                order_item->full_name(), thd->where);
       return TRUE;
     }
-    order->item= ref_pointer_array + count - 1;
+    thd->change_item_tree((Item**)&order->item, (Item*)(ref_pointer_array + count - 1));
     order->in_field_list= 1;
     order->counter= count;
     order->counter_used= 1;