Fix for bug #33389: Selecting from a view into a table from within SP

or trigger crashes server Under some circumstances a combination of VIEWs, subselects with outer references and PS/SP/triggers could lead to use of uninitialized memory and server crash as a result. Fixed by changing the code in Item_field::fix_fields() so that in cases when the field is a VIEW reference, we first check whether the field is also an outer reference, and mark it appropriately before returning.

Fix for bug #33389: Selecting from a view into a table from within SP
or trigger crashes server Under some circumstances a combination of VIEWs, subselects with outer references and PS/SP/triggers could lead to use of uninitialized memory and server crash as a result. Fixed by changing the code in Item_field::fix_fields() so that in cases when the field is a VIEW reference, we first check whether the field is also an outer reference, and mark it appropriately before returning.
97c105cc · kaa@mbp · 6619db58 · 97c105cc · 97c105cc · 97c105cc
Commit 97c105cc authored Feb 12, 2008 by kaa@mbp
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 12 deletions

mysql-test/r/view.result mysql-test/r/view.result +16 -0

mysql-test/t/view.test mysql-test/t/view.test +22 -0

sql/item.cc sql/item.cc +12 -12

No files found.
--- a/mysql-test/r/view.result
+++ b/mysql-test/r/view.result
@@ -3618,4 +3618,20 @@ ERROR HY000: Field of view 'test.v1' underlying table doesn't have a default val
 set @@sql_mode=@old_mode;
 drop view v1;
 drop table t1;
+create table t1 (a int, key(a));
+create table t2 (c int);
+create view v1 as select a b from t1;
+create view v2 as select 1 a from t2, v1 where c in 
+(select 1 from t1 where b = a);
+insert into t1 values (1), (1);
+insert into t2 values (1), (1);
+prepare stmt from "select * from v2 where a = 1";
+execute stmt;
+a
+1
+1
+1
+1
+drop view v1, v2;
+drop table t1, t2;
 End of 5.0 tests.
--- a/mysql-test/t/view.test
+++ b/mysql-test/t/view.test
@@ -3470,5 +3470,27 @@ insert into v1 values(1);
 set @@sql_mode=@old_mode;
 drop view v1;
 drop table t1;
+#
+# Bug #33389: Selecting from a view into a table from within SP or trigger 
+#             crashes server
+#
+create table t1 (a int, key(a));
+create table t2 (c int);
+create view v1 as select a b from t1;
+create view v2 as select 1 a from t2, v1 where c in 
+                  (select 1 from t1 where b = a);
+insert into t1 values (1), (1);
+insert into t2 values (1), (1);
+prepare stmt from "select * from v2 where a = 1";
+execute stmt; 
+drop view v1, v2;
+drop table t1, t2;
 --echo End of 5.0 tests.
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -3903,6 +3903,18 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
    else if (!from_field)
      goto error;
+    if (!outer_fixed && cached_table && cached_table->select_lex &&
+          context->select_lex &&
+          cached_table->select_lex != context->select_lex)
+    {
+      int ret;
+      if ((ret= fix_outer_field(thd, &from_field, reference)) < 0)
+        goto error;
+      else if (!ret)
+        return FALSE;
+      outer_fixed= 1;
+    }
    /*
      if it is not expression from merged VIEW we will set this field.
@@ -3918,18 +3930,6 @@ bool Item_field::fix_fields(THD *thd, Item **reference)
    if (from_field == view_ref_found)
      return FALSE;
-    if (!outer_fixed && cached_table && cached_table->select_lex &&
-          context->select_lex &&
-          cached_table->select_lex != context->select_lex)
-    {
-      int ret;
-      if ((ret= fix_outer_field(thd, &from_field, reference)) < 0)
-        goto error;
-      else if (!ret)
-        return FALSE;
-      outer_fixed= 1;
-    }
    set_field(from_field);
    if (thd->lex->in_sum_func &&
        thd->lex->in_sum_func->nest_level ==