From 97c105cc17b79ff8c2a55e0619a7c737e789f071 Mon Sep 17 00:00:00 2001
From: "kaa@mbp." <>
Date: Tue, 12 Feb 2008 12:43:55 +0300
Subject: [PATCH] Fix for bug #33389: Selecting from a view into a table from
 within SP                     or trigger crashes server

Under some circumstances a combination of VIEWs, subselects with outer
references and PS/SP/triggers could lead to use of uninitialized memory
and server crash as a result.

Fixed by changing the code in Item_field::fix_fields() so that in cases
when the field is a VIEW reference, we first check whether the field
is also an outer reference, and mark it appropriately before returning.
---
 mysql-test/r/view.result | 16 ++++++++++++++++
 mysql-test/t/view.test   | 22 ++++++++++++++++++++++
 sql/item.cc              | 24 ++++++++++++------------
 3 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/mysql-test/r/view.result b/mysql-test/r/view.result
index fb36304e562..f7f6debee6e 100644
--- a/mysql-test/r/view.result
+++ b/mysql-test/r/view.result
@@ -3618,4 +3618,20 @@ ERROR HY000: Field of view 'test.v1' underlying table doesn't have a default val
 set @@sql_mode=@old_mode;
 drop view v1;
 drop table t1;
+create table t1 (a int, key(a));
+create table t2 (c int);
+create view v1 as select a b from t1;
+create view v2 as select 1 a from t2, v1 where c in 
+(select 1 from t1 where b = a);
+insert into t1 values (1), (1);
+insert into t2 values (1), (1);
+prepare stmt from "select * from v2 where a = 1";
+execute stmt;
+a
+1
+1
+1
+1
+drop view v1, v2;
+drop table t1, t2;
 End of 5.0 tests.
diff --git a/mysql-test/t/view.test b/mysql-test/t/view.test
index 340a34db5a1..b321f8604f7 100644
--- a/mysql-test/t/view.test
+++ b/mysql-test/t/view.test
@@ -3470,5 +3470,27 @@ insert into v1 values(1);
 set @@sql_mode=@old_mode;
 drop view v1;
 drop table t1;
+
+#
+# Bug #33389: Selecting from a view into a table from within SP or trigger 
+#             crashes server
+#
+
+create table t1 (a int, key(a));
+create table t2 (c int);
+                   
+create view v1 as select a b from t1;
+create view v2 as select 1 a from t2, v1 where c in 
+                  (select 1 from t1 where b = a);
+                   
+insert into t1 values (1), (1);
+insert into t2 values (1), (1);
+                   
+prepare stmt from "select * from v2 where a = 1";
+execute stmt; 
+
+drop view v1, v2;
+drop table t1, t2;
+
 --echo End of 5.0 tests.
 
diff --git a/sql/item.cc b/sql/item.cc
index 713e7709bcb..8283e1a13d3 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -3903,6 +3903,18 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
     else if (!from_field)
       goto error;
 
+    if (!outer_fixed && cached_table && cached_table->select_lex &&
+          context->select_lex &&
+          cached_table->select_lex != context->select_lex)
+    {
+      int ret;
+      if ((ret= fix_outer_field(thd, &from_field, reference)) < 0)
+        goto error;
+      else if (!ret)
+        return FALSE;
+      outer_fixed= 1;
+    }
+
     /*
       if it is not expression from merged VIEW we will set this field.
 
@@ -3918,18 +3930,6 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
     if (from_field == view_ref_found)
       return FALSE;
 
-    if (!outer_fixed && cached_table && cached_table->select_lex &&
-          context->select_lex &&
-          cached_table->select_lex != context->select_lex)
-    {
-      int ret;
-      if ((ret= fix_outer_field(thd, &from_field, reference)) < 0)
-        goto error;
-      else if (!ret)
-        return FALSE;
-      outer_fixed= 1;
-    }
-
     set_field(from_field);
     if (thd->lex->in_sum_func &&
         thd->lex->in_sum_func->nest_level ==