Bug#25126: Reference to non-existant column in UPDATE...ORDER BY... crashes server

"update existingtable set anycolumn=nonexisting order by nonexisting" would crash
the server.

Though we would find the reference to a field, that doesn't mean we can then use
it to set some values.  It could be a reference to another field.  If it is NULL, 
don't try to use it to set values in the Item_field and instead return an error.

Over the previous patch, this signals an error at the location of the error, rather
than letting the subsequent deref signal it.

mysql-test/r/order_by.result

@@ -847,3 +847,27 @@ num	(select num + 2 FROM t1 LIMIT 1)
 SELECT a.a + 1 AS num FROM t1 a JOIN t1 b ON num = b.a;
 ERROR 42S22: Unknown column 'num' in 'on clause'
 DROP TABLE t1;
+CREATE TABLE bug25126 (
+val int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY
+);
+UPDATE bug25126 SET MissingCol = MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'field list'
+UPDATE bug25126 SET val = val ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET val = val ORDER BY val;
+UPDATE bug25126 SET val = 1 ORDER BY val;
+UPDATE bug25126 SET val = 1 ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET val = 1 ORDER BY val, MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET val = MissingCol ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = 1 ORDER BY val, MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = 1 ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = val ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+UPDATE bug25126 SET MissingCol = MissingCol ORDER BY MissingCol;
+ERROR 42S22: Unknown column 'MissingCol' in 'order clause'
+DROP TABLE bug25126;

mysql-test/t/order_by.test

@@ -575,4 +575,34 @@ SELECT a + 1 AS num, (select num + 2 FROM t1 LIMIT 1) FROM t1;
 SELECT a.a + 1 AS num FROM t1 a JOIN t1 b ON num = b.a;
 DROP TABLE t1;
 
+#
+# Bug#25126: Reference to non-existant column in UPDATE...ORDER BY... 
+#       crashes server
+#
+CREATE TABLE bug25126 (
+  val int unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY
+);
+--error 1054
+UPDATE bug25126 SET MissingCol = MissingCol;
+--error 1054
+UPDATE bug25126 SET val = val ORDER BY MissingCol;
+UPDATE bug25126 SET val = val ORDER BY val;
+UPDATE bug25126 SET val = 1 ORDER BY val;
+--error 1054
+UPDATE bug25126 SET val = 1 ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET val = 1 ORDER BY val, MissingCol;
+--error 1054
+UPDATE bug25126 SET val = MissingCol ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = 1 ORDER BY val, MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = 1 ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = val ORDER BY MissingCol;
+--error 1054
+UPDATE bug25126 SET MissingCol = MissingCol ORDER BY MissingCol;
+DROP TABLE bug25126;
+
+
 # End of 4.1 tests

sql/item.cc

@@ -1771,7 +1771,18 @@ bool Item_field::fix_fields(THD *thd, TABLE_LIST *tables, Item **ref)
              use the field from the Item_field in the select list and leave
              the Item_field instance in place.
             */
-            set_field((*((Item_field**)res))->field);
+
+            Field *field= (*((Item_field**)res))->field;
+
+            if (field == NULL)
+            {
+              /* The column to which we link isn't valid. */
+              my_error(ER_BAD_FIELD_ERROR, MYF(0), (*res)->name, 
+                       current_thd->where);
+              return(1);
+            }
+
+            set_field(field);
             return 0;
           }
           else