From 5707f1efda643f94ea6b38051e94d427f6786c2c Mon Sep 17 00:00:00 2001
From: Kristian Nielsen <knielsen@knielsen-hq.org>
Date: Thu, 15 Feb 2024 10:41:23 +0100
Subject: [PATCH] MDEV-33468: Crash due to missing stack overrun check in two
 recursive functions

Thanks to Yury Chaikou for finding this problem (and the fix).

Reviewed-by: Monty <monty@mariadb.org>
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
---
 sql/item.cc       | 6 +++++-
 sql/sql_select.cc | 6 ++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/sql/item.cc b/sql/item.cc
index 383c9e4b68e..07463b202f9 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -27,6 +27,7 @@
 #include "sp_rcontext.h"
 #include "sp_head.h"
 #include "sql_trigger.h"
+#include "sql_parse.h"
 #include "sql_select.h"
 #include "sql_show.h"                           // append_identifier
 #include "sql_view.h"                           // VIEW_ANY_SQL
@@ -485,7 +486,10 @@ void Item::print_parenthesised(String *str, enum_query_type query_type,
   bool need_parens= precedence() < parent_prec;
   if (need_parens)
     str->append('(');
-  print(str, query_type);
+  if (check_stack_overrun(current_thd, STACK_MIN_SIZE, NULL))
+    str->append("<STACK OVERRUN>");
+  else
+    print(str, query_type);
   if (need_parens)
     str->append(')');
 }
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 978bd4ebe26..9e8b8e4ebe0 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -17662,6 +17662,12 @@ Item_cond::remove_eq_conds(THD *thd, Item::cond_result *cond_value,
   bool and_level= functype() == Item_func::COND_AND_FUNC;
   List<Item> *cond_arg_list= argument_list();
 
+  if (check_stack_overrun(thd, STACK_MIN_SIZE, NULL))
+  {
+    *cond_value= Item::COND_FALSE;
+    return (COND*) 0;                           // Fatal error flag is set!
+  }
+
   if (and_level)
   {
     /*