BUG#21477 "memory overruns for certain kinds of subqueries":

make st_select_lex::setup_ref_array() take into account that Item_sum-descendant objects located within descendant SELECTs may be added into ref_pointer_array.

BUG#21477 "memory overruns for certain kinds of subqueries":
make st_select_lex::setup_ref_array() take into account that Item_sum-descendant objects located within descendant SELECTs may be added into ref_pointer_array.
80cccd41 · sergefp@mysql.com · f0793773 · 80cccd41 · 80cccd41 · 80cccd41
Commit 80cccd41 authored Sep 01, 2006 by sergefp@mysql.com
Show whitespace changes
Inline Side-by-side

Showing with 16 additions and 6 deletions

sql/item_sum.cc sql/item_sum.cc +3 -1

sql/sql_lex.cc sql/sql_lex.cc +4 -4

sql/sql_lex.h sql/sql_lex.h +7 -1

sql/sql_yacc.yy sql/sql_yacc.yy +2 -0

No files found.
--- a/sql/item_sum.cc
+++ b/sql/item_sum.cc
@@ -290,7 +290,9 @@ Item_sum::Item_sum(THD *thd, Item_sum *item):
 void Item_sum::mark_as_sum_func()
 {
-  current_thd->lex->current_select->with_sum_func= 1;
+  SELECT_LEX *cur_select= current_thd->lex->current_select;
+  cur_select->n_sum_items++;
+  cur_select->with_sum_func= 1;
  with_sum_func= 1;
 }

--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -1521,10 +1521,10 @@ bool st_select_lex::setup_ref_array(THD *thd, uint order_group_num)
  */
  Query_arena *arena= thd->stmt_arena;
  return (ref_pointer_array=
-          (Item **)arena->alloc(sizeof(Item*) *
+          (Item **)arena->alloc(sizeof(Item*) * (n_child_sum_items +
-                                (item_list.elements +
+                                                 item_list.elements +
                                                 select_n_having_items +
-                                 order_group_num)* 5)) == 0;
+                                                 order_group_num)*5)) == 0;
 }

--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -548,6 +548,12 @@ public:
  bool  braces;   	/* SELECT ... UNION (SELECT ... ) <- this braces */
  /* TRUE when having fix field called in processing of this SELECT */
  bool having_fix_field;
+  /* Number of Item_sum-derived objects in this SELECT */
+  uint n_sum_items;
+  /* Number of Item_sum-derived objects in children and descendant SELECTs */
+  uint n_child_sum_items;
  /* explicit LIMIT clause was used */
  bool explicit_limit;
  /*
@@ -640,7 +646,7 @@ public:
  bool test_limit();
  friend void lex_start(THD *thd, uchar *buf, uint length);
-  st_select_lex() {}
+  st_select_lex() : n_sum_items(0), n_child_sum_items(0) {}
  void make_empty_select()
  {
    init_query();

--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -8927,8 +8927,10 @@ subselect_end:
 	{
 	  LEX *lex=Lex;
          lex->pop_context();
+          SELECT_LEX *child= lex->current_select;
 	  lex->current_select = lex->current_select->return_after_parsing();
          lex->nest_level--;
+          lex->current_select->n_child_sum_items += child->n_sum_items;
 	};
 /**************************************************************************