diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2017-10-17 10:57:51 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2017-10-17 11:04:09 +0200 |
| commit | b000e169562697aa072600695d4f0c0412f94f4f (patch) | |
| tree | 3c05a2dee4eed10960766f8c584b8f7a259d51cf | |
| parent | df5f25fa7a2c9f43f0506b2ef98dc00033a5c557 (diff) | |
| download | mariadb-git-b000e169562697aa072600695d4f0c0412f94f4f.tar.gz | |
Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST, COL), NAME_CONST('NAME', NULL))mariadb-5.5.58
based on:
commit f7316aa0c9a
Author: Ajo Robert <ajo.robert@oracle.com>
Date: Thu Aug 24 17:03:21 2017 +0530
Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST,
COL), NAME_CONST('NAME', NULL))
Backport of Bug#19143243 fix.
NAME_CONST item can return NULL_ITEM type in case of incorrect arguments.
NULL_ITEM has special processing in Item_func_in function.
In Item_func_in::fix_length_and_dec an array of possible comparators is
created. Since NAME_CONST function has NULL_ITEM type, corresponding
array element is empty. Then NAME_CONST is wrapped to ITEM_CACHE.
ITEM_CACHE can not return proper type(NULL_ITEM) in Item_func_in::val_int(),
so the NULL_ITEM is attempted compared with an empty comparator.
The fix is to disable the caching of Item_name_const item.
| -rw-r--r-- | mysql-test/r/func_in.result | 6 | ||||
| -rw-r--r-- | mysql-test/t/func_in.test | 8 | ||||
| -rw-r--r-- | sql/item.cc | 1 |
3 files changed, 15 insertions, 0 deletions
diff --git a/mysql-test/r/func_in.result b/mysql-test/r/func_in.result index fc56660ac62..03ddbf5402b 100644 --- a/mysql-test/r/func_in.result +++ b/mysql-test/r/func_in.result @@ -812,3 +812,9 @@ EXECUTE s; 1 DROP TABLE t1; # End of 5.3 tests +create table t1 (a int); +insert t1 values (1),(2),(3); +select * from t1 where 1 in (a, name_const('a', null)); +a +1 +drop table t1; diff --git a/mysql-test/t/func_in.test b/mysql-test/t/func_in.test index 1e695142d90..439f9868ec8 100644 --- a/mysql-test/t/func_in.test +++ b/mysql-test/t/func_in.test @@ -606,3 +606,11 @@ EXECUTE s; DROP TABLE t1; --echo # End of 5.3 tests + +# +# Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST, COL), NAME_CONST('NAME', NULL)) +# +create table t1 (a int); +insert t1 values (1),(2),(3); +select * from t1 where 1 in (a, name_const('a', null)); +drop table t1; diff --git a/sql/item.cc b/sql/item.cc index 3c633ddc9ca..fa2e52bfd4a 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -6726,6 +6726,7 @@ bool Item::cache_const_expr_analyzer(uchar **arg) */ if (const_item() && !(basic_const_item() || item->basic_const_item() || + item->type() == Item::NULL_ITEM || /* Item_name_const hack */ item->type() == Item::FIELD_ITEM || item->type() == SUBSELECT_ITEM || /* |