database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-01 03:47:19 +03:00
Code Activity

MDEV-24346 valgrind error in main.precedence

Browse Source 
Part II.

It's still possible to bypass Item_func_like::escape
initialization in Item_func_like::fix_fields().

This requires ESCAPE argument being a cacheable subquery
that uses tables and is inside a derived table which
is used in multi-update.

Instead of implementing a complex or expensive fix for
this particular ridiculously artificial case, let's simply disallow it.
This commit is contained in:
Sergei Golubchik
2020-12-15 00:16:21 +01:00
parent a587ded283
commit 59211ab7b9
3 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
mysql-test/r/func_like.result
View File

@ -294,3 +294,11 @@ insert t1 values (1),(2);
select 1 from (select distinct * from t1) as x where f < (select 1 like 2 escape (3=1)); select 1 from (select distinct * from t1) as x where f < (select 1 like 2 escape (3=1));
1 1
drop table t1; drop table t1;
create table t1(f1 int);
insert into t1 values(1);
update (select 1 like 2 escape (1 in (select 1 from t1))) x, t1 as d set d.f1 = 1;
ERROR HY000: Incorrect arguments to ESCAPE
select * from (select 1 like 2 escape (1 in (select 1 from t1))) x;
1 like 2 escape (1 in (select 1 from t1))
0
drop table t1;

10
mysql-test/t/func_like.test
View File

@ -215,3 +215,13 @@ create table t1 (f int);
insert t1 values (1),(2); insert t1 values (1),(2);
select 1 from (select distinct * from t1) as x where f < (select 1 like 2 escape (3=1)); select 1 from (select distinct * from t1) as x where f < (select 1 like 2 escape (3=1));
drop table t1; drop table t1;
#
# Item_func_like::fix_fields, ESCAPE, const_item()
#
create table t1(f1 int);
insert into t1 values(1);
--error ER_WRONG_ARGUMENTS
update (select 1 like 2 escape (1 in (select 1 from t1))) x, t1 as d set d.f1 = 1;
select * from (select 1 like 2 escape (1 in (select 1 from t1))) x;
drop table t1;

13
sql/item_cmpfunc.cc
View File

@ -5348,7 +5348,18 @@ bool fix_escape_item(THD *thd, Item *escape_item, String *tmp_str,
bool escape_used_in_parsing, CHARSET_INFO *cmp_cs, bool escape_used_in_parsing, CHARSET_INFO *cmp_cs,
int *escape) int *escape)
{ {
if (!escape_item->const_during_execution()) /*
ESCAPE clause accepts only constant arguments and Item_param.
Subqueries during context_analysis_only might decide they're
const_during_execution, but not quite const yet, not evaluate-able.
This is fine, as most of context_analysis_only modes will never
reach val_int(), so we won't need the value.
CONTEXT_ANALYSIS_ONLY_DERIVED being a notable exception here.
*/
if (!escape_item->const_during_execution() ||
(!escape_item->const_item() &&
!(thd->lex->context_analysis_only & ~CONTEXT_ANALYSIS_ONLY_DERIVED)))
{ {
my_error(ER_WRONG_ARGUMENTS,MYF(0),"ESCAPE"); my_error(ER_WRONG_ARGUMENTS,MYF(0),"ESCAPE");
return TRUE; return TRUE;