Bug#54477: Crash on IN / CASE with NULL arguments

Incorrect handling of NULL arguments could lead to a crash on
the IN or CASE operations when either NULL arguments were
passed explicitly as arguments (IN) or implicitly generated by
the WITH ROLLUP modifier (both IN and CASE).

Item_func_case::find_item() assumed all necessary comparators
to be instantiated in fix_length_and_dec(). However, in the
presence of WITH ROLLUP modifier, arguments could be
substituted with an Item_null leading to an "unexpected"
STRING_RESULT comparator being invoked.

In addition to the problem identical to the above,
Item_func_in::val_int() could crash even with explicitly passed
NULL arguments due to an optimization in fix_length_and_dec()
leading to NULL arguments being ignored during comparators
creation.


mysql-test/r/func_in.result:
  Test cases for bug#54477.
mysql-test/t/func_in.test:
  Test cases for bug#54477.
sql/item_cmpfunc.cc:
  Added additional checks for Item_nulls in 
  Item_func_case::find_item() and Item_func_in::val_int().

1 files changed, 20 insertions, 0 deletions

diff --git a/mysql-test/r/func_in.result b/mysql-test/r/func_in.result
index ffdacc43735..fdeec2755ca 100644
--- a/mysql-test/r/func_in.result
+++ b/mysql-test/r/func_in.result
@@ -750,4 +750,24 @@ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 1	SIMPLE	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE noticed after reading const tables
 DROP TABLE t1;
 #
+# Bug#54477: Crash on IN / CASE with NULL arguments
+#
+CREATE TABLE t1 (a INT);
+INSERT INTO t1 VALUES (1), (2);
+SELECT 1 IN (NULL, a) FROM t1;
+1 IN (NULL, a)
+1
+NULL
+SELECT a IN (a, a) FROM t1 GROUP BY a WITH ROLLUP;
+a IN (a, a)
+1
+1
+NULL
+SELECT CASE a WHEN a THEN a END FROM t1 GROUP BY a WITH ROLLUP;
+CASE a WHEN a THEN a END
+1
+2
+NULL
+DROP TABLE t1;
+#
 End of 5.1 tests