diff options
author | Igor Babaev <igor@askmonty.org> | 2018-10-14 15:20:25 -0700 |
---|---|---|
committer | Igor Babaev <igor@askmonty.org> | 2018-10-14 15:29:08 -0700 |
commit | 103b1df510599255f464de5c85a8b0ab1bb1283e (patch) | |
tree | 60f6734ab43ae53f259337195d0bb1a4c5b8d821 /sql/sql_tvc.cc | |
parent | 74387028a06c557f36a0fd1bbde347f1551c8fb7 (diff) | |
download | mariadb-git-103b1df510599255f464de5c85a8b0ab1bb1283e.tar.gz |
MDEV-17222 Reproducible server crash in String_list::append_str or
in Field_iterator_table::create_item
When IN predicate is converted to IN subquery we have to ensure that
any item from the select list of the subquery has some name and this name
is unique across the select list.
This was not guaranteed by the code before the patch for MDEV-17222.
If the name of an item of the select list was not set, and this happened
for binary constants, then the server crashed. If the first row in the IN
list contained the same constant in two different positions then the server
returned an error message.
This was fixed by providing all constants in the first row of the IN list
with generated names.
Diffstat (limited to 'sql/sql_tvc.cc')
-rw-r--r-- | sql/sql_tvc.cc | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/sql/sql_tvc.cc b/sql/sql_tvc.cc index 188ba8c4629..a5085fdfc58 100644 --- a/sql/sql_tvc.cc +++ b/sql/sql_tvc.cc @@ -470,6 +470,7 @@ bool Item_func_in::create_value_list_for_tvc(THD *thd, for (uint i=1; i < arg_count; i++) { + char col_name[8]; List<Item> *tvc_value; if (!(tvc_value= new (thd->mem_root) List<Item>())) return true; @@ -480,13 +481,27 @@ bool Item_func_in::create_value_list_for_tvc(THD *thd, for (uint j=0; j < row_list->cols(); j++) { + if (i == 1) + { + sprintf(col_name, "_col_%i", j+1); + row_list->element_index(j)->set_name(thd, col_name, strlen(col_name), + thd->charset()); + } if (tvc_value->push_back(row_list->element_index(j), thd->mem_root)) return true; } } - else if (tvc_value->push_back(args[i]->real_item())) - return true; + else + { + if (i == 1) + { + sprintf(col_name, "_col_%i", 1); + args[i]->set_name(thd, col_name, strlen(col_name), thd->charset()); + } + if (tvc_value->push_back(args[i]->real_item())) + return true; + } if (values->push_back(tvc_value, thd->mem_root)) return true; |