Bug #40761: Assert on sum function on

            IF(..., CAST(longtext AS UNSIGNED), signed_val)
            (was: LEFT JOIN on inline view crashes server)

Select from a LONGTEXT column wrapped with an expression
like "IF(..., CAST(longtext_column AS UNSIGNED), smth_signed)"
failed an assertion or crashed the server. IFNULL function was
affected too.

LONGTEXT column item has a maximum length of 32^2-1 bytes,
at the same time this is a maximum possible length of any
MySQL item. CAST(longtext_column AS UNSIGNED) returns some
unsigned numeric result of length 32^2-1, so the result of
IF/IFNULL function of this number and some other signed number
will have text length of (32^2-1)+1=32^2 (one byte for the
minus sign) - there is integer overflow, and the length is
equal to zero. That caused assert/crash.

CAST AS UNSIGNED function has been modified to limit maximal
length of resulting number to 67 (maximal length of DECIMAL
and two characters for minus sign and dot).


mysql-test/r/func_if.result:
  Added test case for bug #40761.
mysql-test/t/func_if.test:
  Added test case for bug #40761.
sql/item_func.h:
  Bug #40761: Assert on sum function on
              IF(..., CAST(longtext AS UNSIGNED), signed_val)
  
  CAST AS UNSIGNED function has been modified to limit maximal
  length of resulting number to 67 (maximal length of DECIMAL
  and two characters for minus sign and dot).

1 files changed, 4 insertions, 1 deletions

diff --git a/sql/item_func.h b/sql/item_func.h
index 6dcf32cba07..89c841abb75 100644
--- a/sql/item_func.h
+++ b/sql/item_func.h
@@ -351,7 +351,10 @@ public:
   Item_func_unsigned(Item *a) :Item_func_signed(a) {}
   const char *func_name() const { return "cast_as_unsigned"; }
   void fix_length_and_dec()
-  { max_length=args[0]->max_length; unsigned_flag=1; }
+  {
+    max_length= min(args[0]->max_length, DECIMAL_MAX_PRECISION + 2);
+    unsigned_flag=1;
+  }
   longlong val_int();
   void print(String *str);
 };