MDEV-21997 Server crashes in LEX::create_item_ident_sp upon use of unknown identifier

If there is no current_select and variable is not found among SP variables it can be only an error.

3 files changed, 128 insertions, 0 deletions

diff --git a/mysql-test/main/parser.result b/mysql-test/main/parser.result
index 42fdc01617b..ad22cd886f7 100644
--- a/mysql-test/main/parser.result
+++ b/mysql-test/main/parser.result
@@ -1838,4 +1838,59 @@ ERROR 42S02: Table 'test.t1' doesn't exist
 SET STATEMENT max_statement_time=180 FOR BACKUP LOCK test.t1;
 SET STATEMENT max_statement_time=180 FOR BACKUP UNLOCK;
 set SQL_MODE=@save_sql_mode;
+#
+# MDEV-21997: Server crashes in LEX::create_item_ident_sp
+# upon use of unknown identifier
+#
+/*! IF 1 IN ( SELECT 2 ) OR foo = 3 THEN */ SELECT 4;
+ERROR 42000: Undeclared variable: foo
+BEGIN NOT ATOMIC
+IF (SELECT 2) OR foo = 3 THEN
+SELECT 4;
+END IF ;
+END;
+$$
+ERROR 42000: Undeclared variable: foo
+# ... but if declare it then it still work
+BEGIN NOT ATOMIC
+DECLARE foo int;
+IF (SELECT 2) OR foo = 3 THEN
+SELECT 4;
+END IF ;
+END;
+$$
+4
+4
+CASE (SELECT 2) OR foo
+WHEN 1 THEN
+SET @x=10;
+$$
+ERROR 42000: Undeclared variable: foo
+/*! WHILE (SELECT 2) OR foo */
+SET @x=10;
+END WHILE;
+$$
+ERROR 42000: Undeclared variable: foo
+REPEAT
+SET @x=10;
+UNTIL (SELECT 2) OR foo
+END REPEAT;
+$$
+ERROR 42000: Undeclared variable: foo
+FOR i IN 1..(SELECT 2) OR foo
+DO
+SET @x=10;
+END FOR;
+$$
+ERROR 42000: Undeclared variable: foo
+# ... but automatic FOR variable still work
+FOR i IN 1..2
+DO
+SELECT i;
+END FOR;
+$$
+i
+1
+i
+2
 # End of 10.4 tests
diff --git a/mysql-test/main/parser.test b/mysql-test/main/parser.test
index 8aa2fb528ea..09fe73b7dbe 100644
--- a/mysql-test/main/parser.test
+++ b/mysql-test/main/parser.test
@@ -1613,4 +1613,70 @@ SET STATEMENT max_statement_time=180 FOR BACKUP LOCK test.t1;
 SET STATEMENT max_statement_time=180 FOR BACKUP UNLOCK;
 set SQL_MODE=@save_sql_mode;
 
+
+--echo #
+--echo # MDEV-21997: Server crashes in LEX::create_item_ident_sp
+--echo # upon use of unknown identifier
+--echo #
+
+--error ER_SP_UNDECLARED_VAR
+/*! IF 1 IN ( SELECT 2 ) OR foo = 3 THEN */ SELECT 4;
+
+
+DELIMITER $$;
+
+--error ER_SP_UNDECLARED_VAR
+BEGIN NOT ATOMIC
+  IF (SELECT 2) OR foo = 3 THEN
+    SELECT 4;
+  END IF ;
+END;
+$$
+
+--echo # ... but if declare it then it still work
+BEGIN NOT ATOMIC
+  DECLARE foo int;
+  IF (SELECT 2) OR foo = 3 THEN
+    SELECT 4;
+  END IF ;
+END;
+$$
+
+--error ER_SP_UNDECLARED_VAR
+CASE (SELECT 2) OR foo
+WHEN 1 THEN
+  SET @x=10;
+$$
+
+--error ER_SP_UNDECLARED_VAR
+/*! WHILE (SELECT 2) OR foo */
+  SET @x=10;
+END WHILE;
+$$
+
+--error ER_SP_UNDECLARED_VAR
+REPEAT
+  SET @x=10;
+UNTIL (SELECT 2) OR foo
+END REPEAT;
+$$
+
+--error ER_SP_UNDECLARED_VAR
+FOR i IN 1..(SELECT 2) OR foo
+DO
+  SET @x=10;
+END FOR;
+$$
+
+--echo # ... but automatic FOR variable still work
+FOR i IN 1..2
+DO
+  SELECT i;
+END FOR;
+$$
+
+DELIMITER ;$$
+
+
+
 --echo # End of 10.4 tests
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index eb22534f4fb..c21a5dee088 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -7598,6 +7598,13 @@ Item *LEX::create_item_ident_sp(THD *thd, Lex_ident_sys_st *name,
       return new (thd->mem_root) Item_func_sqlerrm(thd);
   }
 
+  if (!current_select)
+  {
+    // we are out of SELECT or FOR so it is syntax error
+    my_error(ER_SP_UNDECLARED_VAR, MYF(0), name->str);
+    return NULL;
+  }
+
   if (current_select->parsing_place == FOR_LOOP_BOUND)
     return create_item_for_loop_bound(thd, &null_clex_str, &null_clex_str,
                                       name);