Fix for bug #1500 "Server crash with mysql_prepare"

We treat Item_param whose value is not set as non-const.
This allows us to avoid use of Item_param's value (not yet existing) in 
those fix_fields and fix_length_and_dec that do calculations if their 
Items arguments are const. So we can call fix_fields for such items from
mysql_prepare safely.

1 files changed, 112 insertions, 0 deletions

diff --git a/tests/client_test.c b/tests/client_test.c
index 517cac39d1b..637f6c4ede1 100644
--- a/tests/client_test.c
+++ b/tests/client_test.c
@@ -7953,6 +7953,117 @@ static void test_ts()
   }
 }
 
+/*
+  Test for bug #1500.
+*/
+static void test_bug1500()
+{
+  MYSQL_STMT *stmt;
+  MYSQL_BIND bind[3];
+  int        rc;
+  long       int_data[3]= {2,3,4}; 
+  char       *data;
+
+  myheader("test_bug1500");
+
+  rc= mysql_query(mysql,"DROP TABLE IF EXISTS test_bg1500");
+  myquery(rc);
+  
+  rc= mysql_query(mysql,"CREATE TABLE test_bg1500 (i INT)");
+  myquery(rc);
+  
+  rc= mysql_query(mysql,"INSERT INTO test_bg1500 VALUES (1),(2)");
+  myquery(rc);
+
+  rc= mysql_commit(mysql);
+  myquery(rc);
+
+  stmt= mysql_prepare(mysql,"SELECT i FROM test_bg1500 WHERE i IN (?,?,?)",44);
+  mystmt_init(stmt);
+  verify_param_count(stmt,3);
+
+  bind[0].buffer= (char *)int_data;
+  bind[0].buffer_type= FIELD_TYPE_LONG;
+  bind[0].is_null= 0;
+  bind[2]= bind[1]= bind[0];
+  bind[1].buffer= (char *)(int_data + 1);
+  bind[2].buffer= (char *)(int_data + 2);
+  
+  rc= mysql_bind_param(stmt, bind);
+  mystmt(stmt,rc);
+  
+  rc= mysql_execute(stmt);
+  mystmt(stmt,rc);
+  
+  assert(1 == my_process_stmt_result(stmt));
+
+  /* FIXME If we comment out next string server will crash :( */
+  mysql_stmt_close(stmt);
+
+  rc= mysql_query(mysql,"DROP TABLE test_bg1500");
+  myquery(rc);
+  
+  rc= mysql_query(mysql,"CREATE TABLE test_bg1500 (s VARCHAR(25), FULLTEXT(s))");
+  myquery(rc);
+  
+  rc= mysql_query(mysql,
+        "INSERT INTO test_bg1500 VALUES ('Gravedigger'), ('Greed'),('Hollow Dogs')");
+  myquery(rc);
+
+  rc= mysql_commit(mysql);
+  myquery(rc);
+
+  stmt= mysql_prepare(mysql,
+          "SELECT s FROM test_bg1500 WHERE MATCH (s) AGAINST (?)",53);
+  mystmt_init(stmt);
+  
+  verify_param_count(stmt,1);
+  
+  data= "Dogs";
+  bind[0].buffer_type= MYSQL_TYPE_STRING;
+  bind[0].buffer= data;
+  bind[0].buffer_length= strlen(data);
+  bind[0].is_null= 0;
+  bind[0].length= 0;
+  
+  rc= mysql_bind_param(stmt, bind);
+  mystmt(stmt,rc);
+  
+  rc= mysql_execute(stmt);
+  mystmt(stmt,rc);
+  
+  assert(1 == my_process_stmt_result(stmt));
+
+  /* 
+    FIXME If we comment out next string server will crash too :( 
+    This is another manifestation of bug #1663
+  */
+  mysql_stmt_close(stmt);
+  
+  /* This should work too */
+  stmt= mysql_prepare(mysql,
+          "SELECT s FROM test_bg1500 WHERE MATCH (s) AGAINST (CONCAT(?,'digger'))", 70);
+  mystmt_init(stmt);
+  
+  verify_param_count(stmt,1);
+  
+  data= "Grave";
+  bind[0].buffer_type= MYSQL_TYPE_STRING;
+  bind[0].buffer= data;
+  bind[0].buffer_length= strlen(data);
+  bind[0].is_null= 0;
+  bind[0].length= 0;
+  
+  rc= mysql_bind_param(stmt, bind);
+  mystmt(stmt,rc);
+  
+  rc= mysql_execute(stmt);
+  mystmt(stmt,rc);
+  
+  assert(1 == my_process_stmt_result(stmt));
+
+  mysql_stmt_close(stmt);
+}
 
 /*
   Read and parse arguments and MySQL options from my.cnf
@@ -8194,6 +8305,7 @@ int main(int argc, char **argv)
     test_ts();              /* test for timestamp BR#819 */
     test_bug1115();         /* BUG#1115 */
     test_bug1180();         /* BUG#1180 */
+    test_bug1500();         /* BUG#1500 */
     test_bug1644();	    /* BUG#1644 */
 
     end_time= time((time_t *)0);