diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2017-07-12 08:05:42 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2017-07-12 10:39:02 +0200 |
| commit | c5975eaea174460e774e77717e972a8d32e6c8de (patch) | |
| tree | 2b42a0092094a1b908899e6f474e2623bb242937 /sql/item_subselect.cc | |
| parent | f305a7ce4bccbd56520d874e1d81a4f29bc17a96 (diff) | |
| download | mariadb-git-c5975eaea174460e774e77717e972a8d32e6c8de.tar.gz | |
MDEV-7339 Server crashes in Item_func_trig_cond::val_int
Item_in_subselect::pushed_cond_guards[] array is allocated only when
left_expr->maybe_null. And it is used (for row expressions) when
left_expr->element_index(i)->maybe_null.
For left_expr being a multi-column subquery, its maybe_null is
always false when the subquery doesn't use tables (see
Item_singlerow_subselect::fix_length_and_dec()
and subselect_single_select_engine::fix_length_and_dec()),
otherwise it's always true.
But row elements can be NULL regardless, so let's always allocate
pushed_cond_guards for multi-column subqueries, no matter whether
its maybe_null was forced to true or false.
Diffstat (limited to 'sql/item_subselect.cc')
| -rw-r--r-- | sql/item_subselect.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc index e0da946d190..068f32c99b9 100644 --- a/sql/item_subselect.cc +++ b/sql/item_subselect.cc @@ -2871,7 +2871,8 @@ bool Item_in_subselect::init_cond_guards() { DBUG_ASSERT(thd); uint cols_num= left_expr->cols(); - if (!abort_on_null && left_expr->maybe_null && !pushed_cond_guards) + if (!abort_on_null && !pushed_cond_guards && + (left_expr->maybe_null || cols_num > 1)) { if (!(pushed_cond_guards= (bool*)thd->alloc(sizeof(bool) * cols_num))) return TRUE; |