Fix for bug #35298: GROUP_CONCAT with DISTINCT can crash the server

The bug is a regression introduced by the patch for bug32798. The code in Item_func_group_concat::clear() relied on the 'distinct' variable to check if 'unique_filter' was initialized. That, however, is not always valid because Item_func_group_concat::setup() can do shortcuts in some cases w/o initializing 'unique_filter'. Fixed by checking the value of 'unique_filter' instead of 'distinct' before dereferencing. mysql-test/r/func_gconcat.result: Added test cases for bugs #35298 and #36024. mysql-test/t/func_gconcat.test: Added test cases for bugs #35298 and #36024. sql/item_sum.cc: Check if unique_filter != NULL before dereferencing it. Non-zero value of distinct does not always mean that unique_filter is initialized because Item_func_group_concat::setup() can do shortcuts is some cases

Fix for bug #35298: GROUP_CONCAT with DISTINCT can crash the server
The bug is a regression introduced by the patch for bug32798. The code in Item_func_group_concat::clear() relied on the 'distinct' variable to check if 'unique_filter' was initialized. That, however, is not always valid because Item_func_group_concat::setup() can do shortcuts in some cases w/o initializing 'unique_filter'. Fixed by checking the value of 'unique_filter' instead of 'distinct' before dereferencing. mysql-test/r/func_gconcat.result: Added test cases for bugs #35298 and #36024. mysql-test/t/func_gconcat.test: Added test cases for bugs #35298 and #36024. sql/item_sum.cc: Check if unique_filter != NULL before dereferencing it. Non-zero value of distinct does not always mean that unique_filter is initialized because Item_func_group_concat::setup() can do shortcuts is some cases
1a68ec28 · unknown · cf2b2cc5 · 1a68ec28 · 1a68ec28 · 1a68ec28
Commit 1a68ec28 authored May 01, 2008 by unknown
Showing with 63 additions and 1 deletion

mysql-test/r/func_gconcat.result mysql-test/r/func_gconcat.result +26 -0

mysql-test/t/func_gconcat.test mysql-test/t/func_gconcat.test +36 -0

sql/item_sum.cc sql/item_sum.cc +1 -1

No files found.
--- a/mysql-test/r/func_gconcat.result
+++ b/mysql-test/r/func_gconcat.result
@@ -946,4 +946,30 @@ GROUP BY 1
 d1
 NULL
 DROP TABLE t1;
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (a INT);
+INSERT INTO t1 VALUES(1);
+SELECT GROUP_CONCAT(DISTINCT t2.a) FROM t1 LEFT JOIN t2 ON t2.a = t1.a GROUP BY t1.a;
+GROUP_CONCAT(DISTINCT t2.a)
+NULL
+DROP TABLE t1, t2;
+CREATE TABLE t1 (a INT, KEY(a));
+CREATE TABLE t2 (b INT);
+INSERT INTO t1 VALUES (NULL), (8), (2);
+INSERT INTO t2 VALUES (4), (10);
+SELECT 1 FROM t1 WHERE t1.a NOT IN
+(
+SELECT GROUP_CONCAT(DISTINCT t1.a)
+FROM  t1 WHERE t1.a IN   
+(
+SELECT b FROM t2
+) 
+AND NOT t1.a >= (SELECT t1.a FROM t1 LIMIT 1)
+GROUP BY t1.a
+);
+1
+1
+1
+1
+DROP TABLE t1, t2;
 End of 5.0 tests
--- a/mysql-test/t/func_gconcat.test
+++ b/mysql-test/t/func_gconcat.test
@@ -657,4 +657,40 @@ SELECT s1.d1 FROM
 ) AS s1;
 DROP TABLE t1;

+#
+# Bug #35298: GROUP_CONCAT with DISTINCT can crash the server
+#
+
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2 (a INT);
+
+INSERT INTO t1 VALUES(1);
+
+SELECT GROUP_CONCAT(DISTINCT t2.a) FROM t1 LEFT JOIN t2 ON t2.a = t1.a GROUP BY t1.a;
+
+DROP TABLE t1, t2;
+
+#
+# Bug #36024: group_concat distinct in subquery crash
+#
+
+CREATE TABLE t1 (a INT, KEY(a));
+CREATE TABLE t2 (b INT);
+
+INSERT INTO t1 VALUES (NULL), (8), (2);
+INSERT INTO t2 VALUES (4), (10);
+
+SELECT 1 FROM t1 WHERE t1.a NOT IN
+(
+  SELECT GROUP_CONCAT(DISTINCT t1.a)
+  FROM  t1 WHERE t1.a IN   
+  (
+    SELECT b FROM t2
+  ) 
+  AND NOT t1.a >= (SELECT t1.a FROM t1 LIMIT 1)
+  GROUP BY t1.a
+);
+
+DROP TABLE t1, t2;
+
 --echo End of 5.0 tests
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -3222,7 +3222,7 @@ void Item_func_group_concat::clear()
  no_appended= TRUE;
  if (tree)
    reset_tree(tree);
-  if (distinct)
+  if (unique_filter)
    unique_filter->reset();
  /* No need to reset the table as we never call write_row */
 }