diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2017-10-17 10:57:51 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2017-10-17 11:04:09 +0200 |
| commit | b000e169562697aa072600695d4f0c0412f94f4f (patch) | |
| tree | 3c05a2dee4eed10960766f8c584b8f7a259d51cf /sql/item.cc | |
| parent | df5f25fa7a2c9f43f0506b2ef98dc00033a5c557 (diff) | |
| download | mariadb-git-b000e169562697aa072600695d4f0c0412f94f4f.tar.gz | |
Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST, COL), NAME_CONST('NAME', NULL))mariadb-5.5.58
based on:
commit f7316aa0c9a
Author: Ajo Robert <ajo.robert@oracle.com>
Date: Thu Aug 24 17:03:21 2017 +0530
Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST,
COL), NAME_CONST('NAME', NULL))
Backport of Bug#19143243 fix.
NAME_CONST item can return NULL_ITEM type in case of incorrect arguments.
NULL_ITEM has special processing in Item_func_in function.
In Item_func_in::fix_length_and_dec an array of possible comparators is
created. Since NAME_CONST function has NULL_ITEM type, corresponding
array element is empty. Then NAME_CONST is wrapped to ITEM_CACHE.
ITEM_CACHE can not return proper type(NULL_ITEM) in Item_func_in::val_int(),
so the NULL_ITEM is attempted compared with an empty comparator.
The fix is to disable the caching of Item_name_const item.
Diffstat (limited to 'sql/item.cc')
| -rw-r--r-- | sql/item.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sql/item.cc b/sql/item.cc index 3c633ddc9ca..fa2e52bfd4a 100644 --- a/sql/item.cc +++ b/sql/item.cc @@ -6726,6 +6726,7 @@ bool Item::cache_const_expr_analyzer(uchar **arg) */ if (const_item() && !(basic_const_item() || item->basic_const_item() || + item->type() == Item::NULL_ITEM || /* Item_name_const hack */ item->type() == Item::FIELD_ITEM || item->type() == SUBSELECT_ITEM || /* |