From a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e Mon Sep 17 00:00:00 2001
From: Vladislav Vaintroub <wlad@mariadb.com>
Date: Tue, 12 Oct 2021 10:17:52 +0200
Subject: [PATCH] MDEV-26806 Server crash in Charset::charset /
 Item_func_natural_sort_key::val_str

The reason for crash is that natural_sort_key(release_lock('a')) would
evaluate release_lock() twice, once in Item::is_null() and another time
in Item::val_str(). Second time it returns NULL, since lock was already
released.

Fixed to prevent double evaluation.
---
 mysql-test/main/natural_sort_key.result | 6 ++++++
 mysql-test/main/natural_sort_key.test   | 5 +++++
 sql/item_strfunc.cc                     | 4 ++--
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/mysql-test/main/natural_sort_key.result b/mysql-test/main/natural_sort_key.result
index 46151dc8446..2b45addd1c6 100644
--- a/mysql-test/main/natural_sort_key.result
+++ b/mysql-test/main/natural_sort_key.result
@@ -206,3 +206,9 @@ drop table t;
 select natural_sort_key(_utf16 0x0031),natural_sort_key(_ucs2 0x0031), natural_sort_key(_utf32 0x00000031);
 natural_sort_key(_utf16 0x0031)	natural_sort_key(_ucs2 0x0031)	natural_sort_key(_utf32 0x00000031)
 01	01	01
+select get_lock('a', 0);
+get_lock('a', 0)
+1
+select natural_sort_key(release_lock('a'));
+natural_sort_key(release_lock('a'))
+01
diff --git a/mysql-test/main/natural_sort_key.test b/mysql-test/main/natural_sort_key.test
index fbd4e6e0172..811f937750c 100644
--- a/mysql-test/main/natural_sort_key.test
+++ b/mysql-test/main/natural_sort_key.test
@@ -95,3 +95,8 @@ drop table t;
 
 # MDEV-26796 Natural sort does not work for utf32/utf16/ucs2
 select natural_sort_key(_utf16 0x0031),natural_sort_key(_ucs2 0x0031), natural_sort_key(_utf32 0x00000031);
+
+# MDEV-26806 Server crash in Charset::charset / Item_func_natural_sort_key::val_str
+select get_lock('a', 0);
+select natural_sort_key(release_lock('a'));
+
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index a13728295b8..0567501c97a 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -5638,13 +5638,13 @@ static NATSORT_ERR to_natsort_key(const String *in, String *out,
 
 String *Item_func_natural_sort_key::val_str(String *out)
 {
-  if (args[0]->is_null())
+  String *in= args[0]->val_str();
+  if (args[0]->null_value || !in)
   {
     null_value= true;
     return nullptr;
   }
   NATSORT_ERR err= NATSORT_ERR::SUCCESS;
-  String *in= args[0]->val_str();
   CHARSET_INFO *cs= in->charset();
   ulong max_allowed_packet= current_thd->variables.max_allowed_packet;
   uint errs;