Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST,

                       COL), NAME_CONST('NAME', NULL))

Backport of Bug#19143243 fix.

NAME_CONST item can return NULL_ITEM type in case of incorrect arguments.
NULL_ITEM has special processing in Item_func_in function.
In Item_func_in::fix_length_and_dec an array of possible comparators is
created. Since NAME_CONST function has NULL_ITEM type, corresponding
array element is empty. Then NAME_CONST is wrapped to ITEM_CACHE.
ITEM_CACHE can not return proper type(NULL_ITEM) in Item_func_in::val_int(),
so the NULL_ITEM is attempted compared with an empty comparator.
The fix is to disable the caching of Item_name_const item.

1 files changed, 7 insertions, 1 deletions

diff --git a/sql/item.h b/sql/item.h
index 8caa2bc5f9f..9f4e1d24424 100644
--- a/sql/item.h
+++ b/sql/item.h
@@ -1,7 +1,7 @@
 #ifndef ITEM_INCLUDED
 #define ITEM_INCLUDED
 
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1552,6 +1552,12 @@ public:
     return TRUE;
   }
 
+  virtual bool cache_const_expr_analyzer(uchar **arg)
+  {
+    // Item_name_const always wraps a literal, so there is no need to cache it.
+    return false;
+  }
+
   int save_in_field(Field *field, bool no_conversions)
   {
     return  value_item->save_in_field(field, no_conversions);