From: Date: March 2 2007 10:13pm Subject: bk commit into 5.0 tree (evgen:1.2428) BUG#25126 List-Archive: http://lists.mysql.com/commits/21059 X-Bug: 25126 Message-Id: <20070302211310.CC4E422D1D7@moonbone.moonbone.local> Below is the list of changes that have just been committed into a local 5.0 repository of evgen. When evgen does a push these changes will be propagated to the main repository and, within 24 hours after the push, to the public repository. For information on how to access the public repository see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html ChangeSet@stripped, 2007-03-03 00:13:07+03:00, evgen@stripped +4 -0 Bug#25126: Wrongly resolved field leads to a crash. When the ORDER BY clause gets fixed it's allowed to search in the current item_list in order to find aliased fields and expressions. This is ok for a SELECT but wrong for an UPDATE statement. If the ORDER BY clause will contain a non-existing field which is mentioned in the UPDATE set list then the server will crash due to using of non-existing (0x0) field. Now item list lookups while item fixing are allowed only for selects. mysql-test/r/update.result@stripped, 2007-03-02 23:52:08+03:00, evgen@stripped +4 -0 Added a test case for bug#25126: Wrongly resolved field leads to a crash. mysql-test/t/update.test@stripped, 2007-03-02 23:51:37+03:00, evgen@stripped +8 -0 Added a test case for bug#25126: Wrongly resolved field leads to a crash. sql/sql_base.cc@stripped, 2007-03-03 00:12:40+03:00, evgen@stripped +10 -0 Bug#25126: Wrongly resolved field leads to a crash. Now item list lookups while item fixing are allowed only for selects. sql/sql_select.cc@stripped, 2007-03-03 00:11:39+03:00, evgen@stripped +1 -5 Bug#25126: Wrongly resolved field leads to a crash. Now item list lookups while item fixing are allowed only for selects. # This is a BitKeeper patch. What follows are the unified diffs for the # set of deltas contained in the patch. The rest of the patch, the part # that BitKeeper cares about, is below these diffs. # User: evgen # Host: moonbone.local # Root: /mnt/gentoo64/work/25126-bug-5.0-opt-mysql --- 1.369/sql/sql_base.cc 2007-03-02 13:23:54 +03:00 +++ 1.370/sql/sql_base.cc 2007-03-03 00:12:40 +03:00 @@ -4420,12 +4420,15 @@ bool save_set_query_id= thd->set_query_id; nesting_map save_allow_sum_func= thd->lex->allow_sum_func; List_iterator it(fields); + bool save_is_item_list_lookup; DBUG_ENTER("setup_fields"); thd->set_query_id=set_query_id; if (allow_sum_func) thd->lex->allow_sum_func|= 1 << thd->lex->current_select->nest_level; thd->where= THD::DEFAULT_WHERE; + save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup; + thd->lex->current_select->is_item_list_lookup= 0; /* To prevent fail on forward lookup we fill it with zerows, @@ -4450,6 +4453,7 @@ { thd->lex->allow_sum_func= save_allow_sum_func; thd->set_query_id= save_set_query_id; + thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup; DBUG_RETURN(TRUE); /* purecov: inspected */ } if (ref) @@ -4464,6 +4468,7 @@ thd->lex->allow_sum_func= save_allow_sum_func; thd->set_query_id= save_set_query_id; + thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup; DBUG_RETURN(test(thd->net.report_error)); } @@ -4945,6 +4950,9 @@ { SELECT_LEX *select_lex= thd->lex->current_select; Query_arena *arena= thd->stmt_arena, backup; + bool save_is_item_list_lookup= thd->lex->current_select->is_item_list_lookup; + thd->lex->current_select->is_item_list_lookup= 0; + TABLE_LIST *table= NULL; // For HP compilers /* it_is_update set to TRUE when tables of primary SELECT_LEX (SELECT_LEX @@ -5030,9 +5038,11 @@ select_lex->where= *conds; select_lex->conds_processed_with_permanent_arena= 1; } + thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup; DBUG_RETURN(test(thd->net.report_error)); err_no_arena: + thd->lex->current_select->is_item_list_lookup= save_is_item_list_lookup; DBUG_RETURN(1); } --- 1.495/sql/sql_select.cc 2007-02-27 11:37:15 +03:00 +++ 1.496/sql/sql_select.cc 2007-03-03 00:11:39 +03:00 @@ -403,6 +403,7 @@ if (thd->derived_tables_processing) select_lex->exclude_from_table_unique_test= TRUE; + thd->lex->current_select->is_item_list_lookup= 1; /* Check that all tables, fields, conds and order are ok */ if ((!(select_options & OPTION_SETUP_TABLES_DONE) && @@ -13265,16 +13266,11 @@ We check order_item->fixed because Item_func_group_concat can put arguments for which fix_fields already was called. */ - thd->lex->current_select->is_item_list_lookup= 1; if (!order_item->fixed && (order_item->fix_fields(thd, order->item) || (order_item= *order->item)->check_cols(1) || thd->is_fatal_error)) - { - thd->lex->current_select->is_item_list_lookup= 0; return TRUE; /* Wrong field. */ - } - thd->lex->current_select->is_item_list_lookup= 0; uint el= all_fields.elements; all_fields.push_front(order_item); /* Add new field to field list. */ --- 1.32/mysql-test/r/update.result 2007-02-22 16:11:00 +03:00 +++ 1.33/mysql-test/r/update.result 2007-03-02 23:52:08 +03:00 @@ -453,3 +453,7 @@ 2 0.100000000000000000000000000000 3 NULL DROP TABLE t1; +create table t1(f1 int); +update t1 set f2=1 order by f2; +ERROR 42S22: Unknown column 'f2' in 'order clause' +drop table t1; --- 1.30/mysql-test/t/update.test 2007-02-22 16:11:00 +03:00 +++ 1.31/mysql-test/t/update.test 2007-03-02 23:51:37 +03:00 @@ -368,3 +368,11 @@ SELECT * FROM t1; DROP TABLE t1; + +# +# Bug#25126: Wrongly resolved field leads to a crash +# +create table t1(f1 int); +--error 1054 +update t1 set f2=1 order by f2; +drop table t1;