MDEV-26806 Server crash in Charset::charset / Item_func_natural_sort_key::val_str

The reason for crash is that natural_sort_key(release_lock('a')) would evaluate release_lock() twice, once in Item::is_null() and another time in Item::val_str(). Second time it returns NULL, since lock was already released. Fixed to prevent double evaluation.
author: Vladislav Vaintroub <wlad@mariadb.com> 2021-10-12 10:17:52 +0200
committer: Vladislav Vaintroub <wlad@mariadb.com> 2021-10-14 12:13:05 +0200
commit: a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e (patch)
tree: df36849b93f70c2830cb8717df87809a06089fef /sql/item_strfunc.cc
parent: bc09362eb312eff5eb2203963d75f368fea3f4ad (diff)
download: mariadb-git-a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index a13728295b8..0567501c97a 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -5638,13 +5638,13 @@ static NATSORT_ERR to_natsort_key(const String *in, String *out,
 
 String *Item_func_natural_sort_key::val_str(String *out)
 {
-  if (args[0]->is_null())
+  String *in= args[0]->val_str();
+  if (args[0]->null_value || !in)
   {
     null_value= true;
     return nullptr;
   }
   NATSORT_ERR err= NATSORT_ERR::SUCCESS;
-  String *in= args[0]->val_str();
   CHARSET_INFO *cs= in->charset();
   ulong max_allowed_packet= current_thd->variables.max_allowed_packet;
   uint errs;
author	Vladislav Vaintroub <wlad@mariadb.com>	2021-10-12 10:17:52 +0200
committer	Vladislav Vaintroub <wlad@mariadb.com>	2021-10-14 12:13:05 +0200
commit	a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e (patch)
tree	df36849b93f70c2830cb8717df87809a06089fef /sql/item_strfunc.cc
parent	bc09362eb312eff5eb2203963d75f368fea3f4ad (diff)
download	mariadb-git-a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e.tar.gz