From: Date: December 7 2007 8:54pm
Subject: bk commit into 5.1 tree (evgen:1.2671) BUG#32482
List-Archive: http://lists.mysql.com/commits/39573
X-Bug: 32482
Message-Id: <20071207195452.1A8CB53B76@moonbone.localdomain>

Below is the list of changes that have just been committed into a local
5.1 repository of evgen. When evgen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-12-07 22:54:47+03:00, evgen@stripped +3 -0
  Bug#32482: Crash for a query with ORDER BY a user variable.
  
  The Item_func_set_user_var::register_field_in_read_map() did not check 
  that the result_field was null.This caused server crashes for queries that
  required order by such a field and were executed without using a temporary
  table.
  
  The Item_func_set_user_var::register_field_in_read_map() now checks the
  result_field to be not null.

  mysql-test/r/user_var.result@stripped, 2007-12-07 22:53:53+03:00, evgen@stripped +7 -0
    Added a test case for the bug#32482: Crash for a query with ORDER BY a user variable.

  mysql-test/t/user_var.test@stripped, 2007-12-07 22:53:30+03:00, evgen@stripped +8 -0
    Added a test case for the bug#32482: Crash for a query with ORDER BY a user variable.

  sql/item_func.cc@stripped, 2007-12-07 22:54:15+03:00, evgen@stripped +6 -3
    Bug#32482: Crash for a query with ORDER BY a user variable.
    The Item_func_set_user_var::register_field_in_read_map() now checks the
    result_field to be not null.

diff -Nrup a/mysql-test/r/user_var.result b/mysql-test/r/user_var.result
--- a/mysql-test/r/user_var.result	2007-06-04 09:07:19 +04:00
+++ b/mysql-test/r/user_var.result	2007-12-07 22:53:53 +03:00
@@ -353,3 +353,10 @@ select @a:=f4, count(f4) from t1 group b
 2.6	1
 1.6	4
 drop table t1;
+create table t1 (f1 int);
+insert into t1 values (2), (1);
+select @i := f1 as j from t1 order by 1;
+j
+1
+2
+drop table t1;
diff -Nrup a/mysql-test/t/user_var.test b/mysql-test/t/user_var.test
--- a/mysql-test/t/user_var.test	2007-06-03 16:06:53 +04:00
+++ b/mysql-test/t/user_var.test	2007-12-07 22:53:30 +03:00
@@ -237,3 +237,11 @@ select @a:=f2, count(f2) from t1 group b
 select @a:=f3, count(f3) from t1 group by 1 desc;
 select @a:=f4, count(f4) from t1 group by 1 desc;
 drop table t1;
+
+#
+# Bug#32482: Crash for a query with ORDER BY a user variable.
+#
+create table t1 (f1 int);
+insert into t1 values (2), (1);
+select @i := f1 as j from t1 order by 1;
+drop table t1;
diff -Nrup a/sql/item_func.cc b/sql/item_func.cc
--- a/sql/item_func.cc	2007-12-06 03:46:47 +03:00
+++ b/sql/item_func.cc	2007-12-07 22:54:15 +03:00
@@ -3848,9 +3848,12 @@ Item_func_set_user_var::fix_length_and_d
 
 bool Item_func_set_user_var::register_field_in_read_map(uchar *arg)
 {
-  TABLE *table= (TABLE *) arg;
-  if (result_field->table == table || !table)
-    bitmap_set_bit(result_field->table->read_set, result_field->field_index);
+  if (result_field)
+  {
+    TABLE *table= (TABLE *) arg;
+    if (result_field->table == table || !table)
+      bitmap_set_bit(result_field->table->read_set, result_field->field_index);
+  }
   return 0;
 }