diff options
| author | Oleksandr Byelkin <sanja@mariadb.com> | 2019-07-29 16:44:39 +0200 |
|---|---|---|
| committer | Oleksandr Byelkin <sanja@mariadb.com> | 2019-07-29 16:44:39 +0200 |
| commit | ccaaa3d200dccddd8ff3defafcff8ae6f4dcf9ae (patch) | |
| tree | b0ec12ae3ecb928483085552407e7d3a94b70f62 | |
| parent | 83d368a062f017bd28536639cb2041a6f2b88d55 (diff) | |
| download | mariadb-git-ccaaa3d200dccddd8ff3defafcff8ae6f4dcf9ae.tar.gz | |
MDEV-20200: AddressSanitizer: use-after-poison in Item_direct_view_ref::get_null_ref_table
Do not cast wrong type.
| -rw-r--r-- | mysql-test/main/having.result | 9 | ||||
| -rw-r--r-- | mysql-test/main/having.test | 13 | ||||
| -rw-r--r-- | sql/sql_select.cc | 47 |
3 files changed, 51 insertions, 18 deletions
diff --git a/mysql-test/main/having.result b/mysql-test/main/having.result index 837940a55ef..703f013c2da 100644 --- a/mysql-test/main/having.result +++ b/mysql-test/main/having.result @@ -864,4 +864,13 @@ x Warnings: Warning 1292 Truncated incorrect DOUBLE value: 'x' DROP TABLE t1,t2; +# +# MDEV-20200: AddressSanitizer: use-after-poison in +# Item_direct_view_ref::get_null_ref_table +# +CREATE TABLE t (f VARCHAR(512)); +INSERT INTO t VALUES ('a'),('b'); +SELECT * FROM t HAVING f = 'foo'; +f +DROP TABLE t; # End of 10.4 tests diff --git a/mysql-test/main/having.test b/mysql-test/main/having.test index ed86b41a2c3..072f1a088dc 100644 --- a/mysql-test/main/having.test +++ b/mysql-test/main/having.test @@ -909,4 +909,17 @@ HAVING t.f != 112 AND t.f = 'x' AND t.f != 'a'; DROP TABLE t1,t2; + +--echo # +--echo # MDEV-20200: AddressSanitizer: use-after-poison in +--echo # Item_direct_view_ref::get_null_ref_table +--echo # + +CREATE TABLE t (f VARCHAR(512)); +INSERT INTO t VALUES ('a'),('b'); +SELECT * FROM t HAVING f = 'foo'; + +# Cleanup +DROP TABLE t; + --echo # End of 10.4 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 3866ad2a6ce..ff07a7aea89 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -14333,27 +14333,38 @@ bool check_simple_equality(THD *thd, const Item::Context &ctx, { Item *orig_left_item= left_item; Item *orig_right_item= right_item; - if (left_item->type() == Item::REF_ITEM && - (((Item_ref*)left_item)->ref_type() == Item_ref::VIEW_REF || - ((Item_ref*)left_item)->ref_type() == Item_ref::REF)) + if (left_item->type() == Item::REF_ITEM) { - if (((Item_ref*)left_item)->get_depended_from()) - return FALSE; - if (((Item_direct_view_ref*)left_item)->get_null_ref_table() != - NO_NULL_TABLE && !left_item->real_item()->used_tables()) - return FALSE; - left_item= left_item->real_item(); + Item_ref::Ref_Type left_ref= ((Item_ref*)left_item)->ref_type(); + + if (left_ref == Item_ref::VIEW_REF || + left_ref == Item_ref::REF) + { + if (((Item_ref*)left_item)->get_depended_from()) + return FALSE; + if (left_ref == Item_ref::VIEW_REF && + ((Item_direct_view_ref*)left_item)->get_null_ref_table() != + NO_NULL_TABLE && + !left_item->real_item()->used_tables()) + return FALSE; + left_item= left_item->real_item(); + } } - if (right_item->type() == Item::REF_ITEM && - (((Item_ref*)right_item)->ref_type() == Item_ref::VIEW_REF || - ((Item_ref*)right_item)->ref_type() == Item_ref::REF)) + if (right_item->type() == Item::REF_ITEM) { - if (((Item_ref*)right_item)->get_depended_from()) - return FALSE; - if (((Item_direct_view_ref*)right_item)->get_null_ref_table() != - NO_NULL_TABLE && !right_item->real_item()->used_tables()) - return FALSE; - right_item= right_item->real_item(); + Item_ref::Ref_Type right_ref= ((Item_ref*)right_item)->ref_type(); + if (right_ref == Item_ref::VIEW_REF || + (right_ref == Item_ref::REF)) + { + if (((Item_ref*)right_item)->get_depended_from()) + return FALSE; + if (right_ref == Item_ref::VIEW_REF && + ((Item_direct_view_ref*)right_item)->get_null_ref_table() != + NO_NULL_TABLE && + !right_item->real_item()->used_tables()) + return FALSE; + right_item= right_item->real_item(); + } } if (left_item->type() == Item::FIELD_ITEM && right_item->type() == Item::FIELD_ITEM && |