database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-11-18 07:48:43 +03:00
Code Activity

Fixed bug#17366: Unchecked Item_int results in server crash

Browse Source 
When there is conjunction of conds, the substitute_for_best_equal_field()
will call the eliminate_item_equal() function in loop to build final
expression. But if eliminate_item_equal() finds that some cond will always
evaluate to 0, then that cond will be substituted by Item_int with value ==
0. In this case on the next iteration eliminate_item_equal() will get that 
Item_int and treat it as Item_cond. This is leads to memory corruption and
server crash on cleanup phase.

To the eliminate_item_equal() function was added DBUG_ASSERT for checking
that all items treaten as Item_cond are really Item_cond.
The substitute_for_best_equal_field() now checks that if
eliminate_item_equal() returns Item_int and it's value is 0 then this 
value is returned as the result of whole conjunction.
This commit is contained in:
evgen@sunlight.local
2006-03-13 21:11:15 +03:00
parent f47ed62fb0
commit af660df0ef
3 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
mysql-test/r/subselect.result
View File

@@ -3157,3 +3157,10 @@ id select_type table type possible_keys key key_len ref rows Extra
1 PRIMARY t1 ALL NULL NULL NULL NULL 9 Using where
2 DEPENDENT SUBQUERY t1 index NULL a 8 NULL 9 Using filesort
DROP TABLE t1;
create table t1( f1 int,f2 int);
insert into t1 values (1,1),(2,2);
select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
t
crash1
crash1
drop table t1;