revision-id: a9620392134390344307ac7c832a5b8a1555d622 (mariadb-10.5.2-572-ga9620392134) parent(s): d81668299770cbe7c70af0030f25ca4242af5bb6 author: Sergei Petrunia committer: Sergei Petrunia timestamp: 2021-04-09 00:37:57 +0300 message: MDEV-25346: JSON_TABLE: Server crashes in Item_field::fix_outer_field ... mysql_derived_prepare() sets Name_resolution_context::outer_context=NULL for the WHERE clause's context. Do the same for all ON expressions, too. --- mysql-test/suite/json/r/json_table.result | 11 +++++++++++ mysql-test/suite/json/t/json_table.test | 14 ++++++++++++++ sql/sql_derived.cc | 18 ++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/mysql-test/suite/json/r/json_table.result b/mysql-test/suite/json/r/json_table.result index 3910a5977a2..9f1d1bce99e 100644 --- a/mysql-test/suite/json/r/json_table.result +++ b/mysql-test/suite/json/r/json_table.result @@ -704,6 +704,17 @@ RIGHT JOIN JSON_TABLE('[]', '$' COLUMNS(o3 FOR ORDINALITY)) AS jt3 ON(1) WHERE 0; ERROR 42S22: Unknown column 'jt1.a' in 'JSON_TABLE argument' +# +# MDEV-25346: JSON_TABLE: Server crashes in Item_field::fix_outer_field upon subquery with unknown column +# +CREATE TABLE t1 (a INT); +CREATE TABLE t2 (b INT); +SELECT * FROM ( SELECT * FROM t1 JOIN t2 ON (b IN(SELECT x FROM (SELECT 1 AS c) AS sq1))) AS sq2; +ERROR 42S22: Unknown column 'x' in 'field list' +DROP TABLE t1, t2; +# +# Another testcase +# create table t1 (item_name varchar(32), item_props varchar(1024)); insert into t1 values ('Jeans', '{"color": ["green", "brown"], "price": 50}'); insert into t1 values ('Shirt', '{"color": ["blue", "white"], "price": 20}'); diff --git a/mysql-test/suite/json/t/json_table.test b/mysql-test/suite/json/t/json_table.test index f8198322d7d..aa4e7397a6a 100644 --- a/mysql-test/suite/json/t/json_table.test +++ b/mysql-test/suite/json/t/json_table.test @@ -601,6 +601,20 @@ JSON_TABLE('[]', '$' COLUMNS(a TEXT PATH '$[*]')) AS jt1 ON(1) WHERE 0; +--echo # +--echo # MDEV-25346: JSON_TABLE: Server crashes in Item_field::fix_outer_field upon subquery with unknown column +--echo # +CREATE TABLE t1 (a INT); +CREATE TABLE t2 (b INT); + +--error ER_BAD_FIELD_ERROR +SELECT * FROM ( SELECT * FROM t1 JOIN t2 ON (b IN(SELECT x FROM (SELECT 1 AS c) AS sq1))) AS sq2; + +DROP TABLE t1, t2; + +--echo # +--echo # Another testcase +--echo # create table t1 (item_name varchar(32), item_props varchar(1024)); insert into t1 values ('Jeans', '{"color": ["green", "brown"], "price": 50}'); insert into t1 values ('Shirt', '{"color": ["blue", "white"], "price": 20}'); diff --git a/sql/sql_derived.cc b/sql/sql_derived.cc index 35b4294707f..90e0b6068f9 100644 --- a/sql/sql_derived.cc +++ b/sql/sql_derived.cc @@ -23,6 +23,7 @@ #include "mariadb.h" /* NO_EMBEDDED_ACCESS_CHECKS */ +#include <functional> #include "sql_priv.h" #include "unireg.h" #include "sql_derived.h" @@ -760,7 +761,24 @@ bool mysql_derived_prepare(THD *thd, LEX *lex, TABLE_LIST *derived) /* prevent name resolving out of derived table */ for (SELECT_LEX *sl= first_select; sl; sl= sl->next_select()) { + // Prevent it for the WHERE clause sl->context.outer_context= 0; + + // And for ON clauses, if there are any + std::function<void(List<TABLE_LIST>&)> reset_context= + [&](List<TABLE_LIST> &join_list) + { + List_iterator<TABLE_LIST> li(join_list); + while (TABLE_LIST *table= li++) + { + if (table->on_context) + table->on_context->outer_context= NULL; + if (table->nested_join) + reset_context(table->nested_join->join_list); + } + }; + reset_context(*sl->join_list); + if (!derived->is_with_table_recursive_reference() || (!derived->with->with_anchor && !derived->with->is_with_prepared_anchor()))