revision-id: 253078337ca6019badfaf359d9302c8a479746ca (mariadb-10.3.35-379-g2530783) parent(s): f513d715382a63415c9342f1cae75be75b441f98 author: Igor Babaev committer: Igor Babaev timestamp: 2023-01-25 11:46:28 -0800 message: MDEV-28616 Crash when using derived table over union with order by clause This bug manifested itself when the server processed a query containing a derived table over union whose ORDER BY clause included a subquery with unresolvable column reference. For such a query the server crashed when trying to resolve column references in the ORDER BY clause used by union. For any union with ORDER BY clause an extra SELECT_LEX structure is created and it is attached to SELECT_LEX_UNIT structure of the union via the field fake_select_lex. The outer context for fake_select_lex must be the same as for other selects of the union. If the union is used in the FROM list of a derived table then the outer context for fake_select_lex must be set to NULL in line with other selects of the union. It was not done and it caused a crash when searching for possible resolution of an unresolvable column reference occurred in a subquery used in the ORDER BY clause. Approved by Oleksandr Byelkin <sanja@mariadb.com> --- mysql-test/main/derived.result | 23 +++++++++++++++++++++++ mysql-test/main/derived.test | 30 ++++++++++++++++++++++++++++++ sql/sql_derived.cc | 3 +++ 3 files changed, 56 insertions(+) diff --git a/mysql-test/main/derived.result b/mysql-test/main/derived.result index 2761fdf..0cb029f 100644 --- a/mysql-test/main/derived.result +++ b/mysql-test/main/derived.result @@ -1327,5 +1327,28 @@ a b DROP VIEW v1; DROP TABLE t1; # +# MDEV-28616: derived table over union with order by clause that +# contains subquery with unresolvable column reference +# +SELECT 1 FROM ( +SELECT 1 UNION SELECT 2 ORDER BY (SELECT 1 FROM DUAL WHERE xxx = 0) +) dt; +ERROR 42S22: Unknown column 'xxx' in 'where clause' +create table t1 (a int, b int); +insert into t1 values (3,8), (7,2), (1,4), (5,9); +create table t2 (a int, b int); +insert into t2 values (9,1), (7,3), (2,6); +create table t3 (c int, d int); +insert into t3 values (7,8), (1,2), (3,8); +select * from +( +select a,b from t1 where t1.a > 3 +union +select a,b from t2 where t2.b < 6 +order by (a - b / (select a + max(c) from t3 where d = x)) +) dt; +ERROR 42S22: Unknown column 'x' in 'where clause' +drop table t1,t2,t3; +# # End of 10.3 tests # diff --git a/mysql-test/main/derived.test b/mysql-test/main/derived.test index 6a83100..dca7243 100644 --- a/mysql-test/main/derived.test +++ b/mysql-test/main/derived.test @@ -1138,5 +1138,35 @@ DROP VIEW v1; DROP TABLE t1; --echo # +--echo # MDEV-28616: derived table over union with order by clause that +--echo # contains subquery with unresolvable column reference +--echo # + +--error ER_BAD_FIELD_ERROR +SELECT 1 FROM ( + SELECT 1 UNION SELECT 2 ORDER BY (SELECT 1 FROM DUAL WHERE xxx = 0) +) dt; + +create table t1 (a int, b int); +insert into t1 values (3,8), (7,2), (1,4), (5,9); + +create table t2 (a int, b int); +insert into t2 values (9,1), (7,3), (2,6); + +create table t3 (c int, d int); +insert into t3 values (7,8), (1,2), (3,8); + +--error ER_BAD_FIELD_ERROR +select * from +( + select a,b from t1 where t1.a > 3 + union + select a,b from t2 where t2.b < 6 + order by (a - b / (select a + max(c) from t3 where d = x)) +) dt; + +drop table t1,t2,t3; + +--echo # --echo # End of 10.3 tests --echo # diff --git a/sql/sql_derived.cc b/sql/sql_derived.cc index 93dc628..8177ee2 100644 --- a/sql/sql_derived.cc +++ b/sql/sql_derived.cc @@ -771,6 +771,9 @@ bool mysql_derived_prepare(THD *thd, LEX *lex, TABLE_LIST *derived) cursor->outer_join|= JOIN_TYPE_OUTER; } } + // Prevent it for possible ORDER BY clause + if (unit->fake_select_lex) + unit->fake_select_lex->context.outer_context= 0; /* Above cascade call of prepare is important for PS protocol, but after it