Fix for bug #32260: User variables in query cause server crash

Problem: there's no guarantee that the user variable item's result_field is assigned when we're adjusting its table read map. Fix: check the result_field before using it. mysql-test/r/user_var.result: Fix for bug #32260: User variables in query cause server crash - test result. mysql-test/t/user_var.test: Fix for bug #32260: User variables in query cause server crash - test case. sql/item_func.cc: Fix for bug #32260: User variables in query cause server crash - using the result_field ensure it is set.

Fix for bug #32260: User variables in query cause server crash
Problem: there's no guarantee that the user variable item's result_field is assigned when we're adjusting its table read map. Fix: check the result_field before using it. mysql-test/r/user_var.result: Fix for bug #32260: User variables in query cause server crash - test result. mysql-test/t/user_var.test: Fix for bug #32260: User variables in query cause server crash - test case. sql/item_func.cc: Fix for bug #32260: User variables in query cause server crash - using the result_field ensure it is set.
011eb3df · unknown · c8450b27 · 011eb3df · 011eb3df · 011eb3df
Commit 011eb3df authored Nov 17, 2007 by unknown
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 1 deletion

mysql-test/r/user_var.result mysql-test/r/user_var.result +11 -0

mysql-test/t/user_var.test mysql-test/t/user_var.test +21 -0

sql/item_func.cc sql/item_func.cc +2 -1

No files found.
--- a/mysql-test/r/user_var.result
+++ b/mysql-test/r/user_var.result
@@ -353,3 +353,14 @@ select @a:=f4, count(f4) from t1 group by 1 desc;
 2.6	1
 1.6	4
 drop table t1;
+create table t1(a int);
+insert into t1 values(5),(4),(4),(3),(2),(2),(2),(1);
+set @rownum := 0;
+set @rank := 0;
+set @prev_score := NULL;
+select @rownum := @rownum + 1 as row,
+@rank := IF(@prev_score!=a, @rownum, @rank) as rank,
+@prev_score := a as score
+from t1 order by score desc;
+drop table t1;
+End of 5.1 tests
--- a/mysql-test/t/user_var.test
+++ b/mysql-test/t/user_var.test
@@ -237,3 +237,24 @@ select @a:=f2, count(f2) from t1 group by 1 desc;
 select @a:=f3, count(f3) from t1 group by 1 desc;
 select @a:=f4, count(f4) from t1 group by 1 desc;
 drop table t1;
+
+#
+# Bug #32260: User variables in query cause server crash
+#
+create table t1(a int);
+insert into t1 values(5),(4),(4),(3),(2),(2),(2),(1);
+set @rownum := 0;
+set @rank := 0;
+set @prev_score := NULL;
+# Disable the result log as we assign a value to a user variable in one part 
+# of a statement and use the same variable in other part of the same statement,
+# so we can get unexpected results.
+--disable_result_log
+select @rownum := @rownum + 1 as row,
+ @rank := IF(@prev_score!=a, @rownum, @rank) as rank,
+ @prev_score := a as score
+from t1 order by score desc;
+--enable_result_log
+drop table t1;
+
+--echo End of 5.1 tests
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -3842,7 +3842,8 @@ Item_func_set_user_var::fix_length_and_dec()
 bool Item_func_set_user_var::register_field_in_read_map(uchar *arg)
 {
  TABLE *table= (TABLE *) arg;
-  if (result_field->table == table || !table)
+  if (result_field &&
+      (!table || result_field->table == table))
    bitmap_set_bit(result_field->table->read_set, result_field->field_index);
  return 0;
 }