diff options
| author | Annamalai Gurusami <annamalai.gurusami@oracle.com> | 2013-02-22 14:56:17 +0530 |
|---|---|---|
| committer | Annamalai Gurusami <annamalai.gurusami@oracle.com> | 2013-02-22 14:56:17 +0530 |
| commit | dc6969734afbd6598035c81a3e0a7f139083ed65 (patch) | |
| tree | cb33eb643bfdc148830a36952db8d765ea7353bc /sql/set_var.h | |
| parent | 4d494b17264eb93068b02b239c2f76b51920e0c4 (diff) | |
| download | mariadb-git-dc6969734afbd6598035c81a3e0a7f139083ed65.tar.gz | |
Bug #14211565 CRASH WHEN ATTEMPTING TO SET SYSTEM VARIABLE TO RESULT OF VALUES()
Problem:
When the VALUES() function is inappropriately used in the SET stmt the server
exits.
set port = values(v);
This happens because the values(v) will be parsed as an Item_insert_value by
the parser. Both Item_field and Item_insert_value return the type as
FIELD_ITEM. But for Item_insert_value the field_name member is NULL. In
set_var constructor, when the type of the item is FIELD_ITEM we try to access
the non-existent field_name.
The class hierarchy is as follows:
Item -> Item_ident -> Item_field -> Item_insert_value
The Item_ident::field_name is NULL for Item_insert_value.
Solution:
In the parsing stage, in the set_var constructor if the item type is
FIELD_ITEM and if the field_name is non-existent, then it is probably
the Item_insert_value. So leave it as it is for later evaluation.
rb://2004 approved by Roy and Norvald.
Diffstat (limited to 'sql/set_var.h')
| -rw-r--r-- | sql/set_var.h | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/sql/set_var.h b/sql/set_var.h index 97e3c74593b..7b1dbcddb96 100644 --- a/sql/set_var.h +++ b/sql/set_var.h @@ -1326,13 +1326,23 @@ public: if (value_arg && value_arg->type() == Item::FIELD_ITEM) { Item_field *item= (Item_field*) value_arg; - if (!(value=new Item_string(item->field_name, - (uint) strlen(item->field_name), - item->collation.collation))) - value=value_arg; /* Give error message later */ + if (item->field_name) + { + if (!(value= new Item_string(item->field_name, + (uint) strlen(item->field_name), + item->collation.collation))) + value= value_arg; /* Give error message later */ + } + else + { + /* Both Item_field and Item_insert_value will return the type as + Item::FIELD_ITEM. If the item->field_name is NULL, we assume the + object to be Item_insert_value. */ + value= value_arg; + } } else - value=value_arg; + value= value_arg; } int check(THD *thd); int update(THD *thd); |