From 620aeb44db8a2f442a662a54a7ea85b363d68dd5 Mon Sep 17 00:00:00 2001
From: Oleksandr Byelkin <sanja@mariadb.com>
Date: Fri, 14 Jul 2023 14:51:09 +0200
Subject: [PATCH] MDEV-30159: Client can crash the server with a
 mysql_list_fields("view") call

Do not get value of expensive constants.
---
 sql/item_cmpfunc.cc       |  4 +++-
 tests/mysql_client_test.c | 43 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index fa96d95adb1..8e6ca318d11 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -6047,7 +6047,9 @@ void Regexp_processor_pcre::fix_owner(Item_func *owner,
                                       Item *subject_arg,
                                       Item *pattern_arg)
 {
-  if (!is_compiled() && pattern_arg->const_item())
+  if (!is_compiled() &&
+      pattern_arg->const_item() &&
+      !pattern_arg->is_expensive())
   {
     if (compile(pattern_arg, true))
     {
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
index 21f5c2ecbcb..05190b20624 100644
--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@@ -21392,6 +21392,48 @@ static void test_mdev20261()
   myquery(rc);
 }
 
+static void test_mdev_30159()
+{
+  MYSQL_RES *result;
+  int rc;
+
+  myheader("test_mdev_30159");
+
+  rc= mysql_query(mysql, "create table t1 ("
+                          "  name  varchar(100),"
+                          "  typ varchar(100)"
+                          ")");
+  myquery(rc);
+  rc= mysql_query(mysql, "insert into t1 values (1,1),(2,2),(3,3),(4,4),(5,5),"
+                          "(6,6),(7,7),(8,8),(9,9),(10,10)");
+  myquery(rc);
+  rc= mysql_query(mysql, "insert into t1 values ('', 'value'),('', 'value')");
+  myquery(rc);
+  rc= mysql_query(mysql, "create table t2 ("
+                         "  servername varchar(100)"
+                         ")");
+  myquery(rc);
+  rc= mysql_query(mysql, "insert into t2 values (1),(2),(3),(4),(5),"
+                          "(6),(7),(8),(9),(10)");
+  myquery(rc);
+  rc= mysql_query(mysql, "create view v1 as"
+                         "  select * from t2"
+                         "    where"
+                         "      `t2`.`servername` regexp (  select"
+                         "          group_concat(`t1`.`name` separator '|')"
+                         "          from `t1`"
+                         "          where `t1`.`typ`"
+                         "          like 'value')");
+  myquery(rc);
+
+  result= mysql_list_fields(mysql, "v1", NULL);
+  mytest(result);
+
+  rc= mysql_query(mysql, "drop view v1");
+  myquery(rc);
+  rc= mysql_query(mysql, "drop table t1, t2");
+  myquery(rc);
+}
 
 static struct my_tests_st my_tests[]= {
   { "test_mdev_20516", test_mdev_20516 },
@@ -21695,6 +21737,7 @@ static struct my_tests_st my_tests[]= {
   { "test_mdev_16128", test_mdev_16128 },
   { "test_mdev18408", test_mdev18408 },
   { "test_mdev20261", test_mdev20261 },
+  { "test_mdev_30159", test_mdev_30159 },
   { 0, 0 }
 };