From 173c2bb0b9f21cefe7505b1b4e8d8c35549f6fe4 Mon Sep 17 00:00:00 2001
From: "ramil/ram@mysql.com/ramil.myoffice.izhnet.ru" <>
Date: Wed, 7 Nov 2007 12:47:19 +0400
Subject: [PATCH 1/2] Fix for bug #32137: prepared statement crash with
 str_to_date in update clause

Problem: calling non-constant argument's val_xxx() methods
in the ::fix_length_and_dec() is inadmissible.

Fix: call the method only for constant arguments.
---
 mysql-test/r/ps.result |  5 +++++
 mysql-test/t/ps.test   |  9 ++++++++
 sql/item_timefunc.cc   | 49 ++++++++++++++++++++++--------------------
 3 files changed, 40 insertions(+), 23 deletions(-)

diff --git a/mysql-test/r/ps.result b/mysql-test/r/ps.result
index 49e4bf2f318..49643dd3f78 100644
--- a/mysql-test/r/ps.result
+++ b/mysql-test/r/ps.result
@@ -1109,4 +1109,9 @@ a
 13
 DEALLOCATE PREPARE st1;
 DROP TABLE t1;
+create table t1 (a int, b tinyint);
+prepare st1 from 'update t1 set b= (str_to_date(a, a))';
+execute st1;
+deallocate prepare st1;
+drop table t1;
 End of 4.1 tests.
diff --git a/mysql-test/t/ps.test b/mysql-test/t/ps.test
index 5e5dcc36b19..18beb357d05 100644
--- a/mysql-test/t/ps.test
+++ b/mysql-test/t/ps.test
@@ -1146,4 +1146,13 @@ EXECUTE st1;
 DEALLOCATE PREPARE st1;
 DROP TABLE t1;
 
+#
+# Bug #32137: prepared statement crash with str_to_date in update clause
+#
+create table t1 (a int, b tinyint);
+prepare st1 from 'update t1 set b= (str_to_date(a, a))';
+execute st1;
+deallocate prepare st1;
+drop table t1;
+
 --echo End of 4.1 tests.
diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc
index 4bd3d68b9c1..08e0a727544 100644
--- a/sql/item_timefunc.cc
+++ b/sql/item_timefunc.cc
@@ -2958,39 +2958,42 @@ Field *Item_func_str_to_date::tmp_table_field(TABLE *t_arg)
 
 void Item_func_str_to_date::fix_length_and_dec()
 {
-  char format_buff[64];
-  String format_str(format_buff, sizeof(format_buff), &my_charset_bin);
-  String *format;
   maybe_null= 1;
   decimals=0;
   cached_field_type= MYSQL_TYPE_STRING;
   max_length= MAX_DATETIME_FULL_WIDTH*MY_CHARSET_BIN_MB_MAXLEN;
   cached_timestamp_type= MYSQL_TIMESTAMP_NONE;
-  format= args[1]->val_str(&format_str);
-  if (!args[1]->null_value && (const_item= args[1]->const_item()))
+  if ((const_item= args[1]->const_item()))
   {
-    cached_format_type= get_date_time_result_type(format->ptr(),
-                                                  format->length());
-    switch (cached_format_type) {
-    case DATE_ONLY:
-      cached_timestamp_type= MYSQL_TIMESTAMP_DATE;
-      cached_field_type= MYSQL_TYPE_DATE; 
-      max_length= MAX_DATE_WIDTH*MY_CHARSET_BIN_MB_MAXLEN;
-      break;
-    case TIME_ONLY:
-    case TIME_MICROSECOND:
-      cached_timestamp_type= MYSQL_TIMESTAMP_TIME;
-      cached_field_type= MYSQL_TYPE_TIME; 
-      max_length= MAX_TIME_WIDTH*MY_CHARSET_BIN_MB_MAXLEN;
-      break;
-    default:
-      cached_timestamp_type= MYSQL_TIMESTAMP_DATETIME;
-      cached_field_type= MYSQL_TYPE_DATETIME; 
-      break;
+    char format_buff[64];
+    String format_str(format_buff, sizeof(format_buff), &my_charset_bin);
+    String *format= args[1]->val_str(&format_str);
+    if (!args[1]->null_value)
+    {
+      cached_format_type= get_date_time_result_type(format->ptr(),
+                                                    format->length());
+      switch (cached_format_type) {
+      case DATE_ONLY:
+        cached_timestamp_type= MYSQL_TIMESTAMP_DATE;
+        cached_field_type= MYSQL_TYPE_DATE; 
+        max_length= MAX_DATE_WIDTH * MY_CHARSET_BIN_MB_MAXLEN;
+        break;
+      case TIME_ONLY:
+      case TIME_MICROSECOND:
+        cached_timestamp_type= MYSQL_TIMESTAMP_TIME;
+        cached_field_type= MYSQL_TYPE_TIME; 
+        max_length= MAX_TIME_WIDTH * MY_CHARSET_BIN_MB_MAXLEN;
+        break;
+      default:
+        cached_timestamp_type= MYSQL_TIMESTAMP_DATETIME;
+        cached_field_type= MYSQL_TYPE_DATETIME; 
+        break;
+      }
     }
   }
 }
 
+
 bool Item_func_str_to_date::get_date(TIME *ltime, uint fuzzy_date)
 {
   DATE_TIME_FORMAT date_time_format;

From f3813c920e6820e339d15987febd8746b483bf5e Mon Sep 17 00:00:00 2001
From: "ramil/ram@mysql.com/ramil.myoffice.izhnet.ru" <>
Date: Sat, 10 Nov 2007 18:27:57 +0400
Subject: [PATCH 2/2] manual merge.

---
 mysql-test/r/ps.result |  5 +++++
 mysql-test/t/ps.test   | 10 +++++++++
 sql/item_timefunc.cc   | 48 +++++++++++++++++++++++-------------------
 3 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/mysql-test/r/ps.result b/mysql-test/r/ps.result
index 4db588e5cac..0682cae5c80 100644
--- a/mysql-test/r/ps.result
+++ b/mysql-test/r/ps.result
@@ -1136,6 +1136,11 @@ a
 13
 DEALLOCATE PREPARE st1;
 DROP TABLE t1;
+create table t1 (a int, b tinyint);
+prepare st1 from 'update t1 set b= (str_to_date(a, a))';
+execute st1;
+deallocate prepare st1;
+drop table t1;
 End of 4.1 tests.
 create table t1 (a varchar(20));
 insert into t1 values ('foo');
diff --git a/mysql-test/t/ps.test b/mysql-test/t/ps.test
index cd2fc44e3ce..c1505ffd645 100644
--- a/mysql-test/t/ps.test
+++ b/mysql-test/t/ps.test
@@ -1210,6 +1210,16 @@ EXECUTE st1;
 DEALLOCATE PREPARE st1;
 DROP TABLE t1;
 
+
+#
+# Bug #32137: prepared statement crash with str_to_date in update clause
+#
+create table t1 (a int, b tinyint);
+prepare st1 from 'update t1 set b= (str_to_date(a, a))';
+execute st1;
+deallocate prepare st1;
+drop table t1;
+
 --echo End of 4.1 tests.
 
 ############################# 5.0 tests start ################################
diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc
index ae18e4786d7..3a2df5125ba 100644
--- a/sql/item_timefunc.cc
+++ b/sql/item_timefunc.cc
@@ -3306,38 +3306,42 @@ Field *Item_func_str_to_date::tmp_table_field(TABLE *t_arg)
 
 void Item_func_str_to_date::fix_length_and_dec()
 {
-  char format_buff[64];
-  String format_str(format_buff, sizeof(format_buff), &my_charset_bin), *format;
   maybe_null= 1;
   decimals=0;
   cached_field_type= MYSQL_TYPE_STRING;
   max_length= MAX_DATETIME_FULL_WIDTH*MY_CHARSET_BIN_MB_MAXLEN;
   cached_timestamp_type= MYSQL_TIMESTAMP_NONE;
-  format= args[1]->val_str(&format_str);
-  if (!args[1]->null_value && (const_item= args[1]->const_item()))
+  if ((const_item= args[1]->const_item()))
   {
-    cached_format_type= get_date_time_result_type(format->ptr(),
-                                                  format->length());
-    switch (cached_format_type) {
-    case DATE_ONLY:
-      cached_timestamp_type= MYSQL_TIMESTAMP_DATE;
-      cached_field_type= MYSQL_TYPE_DATE; 
-      max_length= MAX_DATE_WIDTH*MY_CHARSET_BIN_MB_MAXLEN;
-      break;
-    case TIME_ONLY:
-    case TIME_MICROSECOND:
-      cached_timestamp_type= MYSQL_TIMESTAMP_TIME;
-      cached_field_type= MYSQL_TYPE_TIME; 
-      max_length= MAX_TIME_WIDTH*MY_CHARSET_BIN_MB_MAXLEN;
-      break;
-    default:
-      cached_timestamp_type= MYSQL_TIMESTAMP_DATETIME;
-      cached_field_type= MYSQL_TYPE_DATETIME; 
-      break;
+    char format_buff[64];
+    String format_str(format_buff, sizeof(format_buff), &my_charset_bin);
+    String *format= args[1]->val_str(&format_str);
+    if (!args[1]->null_value)
+    {
+      cached_format_type= get_date_time_result_type(format->ptr(),
+                                                    format->length());
+      switch (cached_format_type) {
+      case DATE_ONLY:
+        cached_timestamp_type= MYSQL_TIMESTAMP_DATE;
+        cached_field_type= MYSQL_TYPE_DATE; 
+        max_length= MAX_DATE_WIDTH * MY_CHARSET_BIN_MB_MAXLEN;
+        break;
+      case TIME_ONLY:
+      case TIME_MICROSECOND:
+        cached_timestamp_type= MYSQL_TIMESTAMP_TIME;
+        cached_field_type= MYSQL_TYPE_TIME; 
+        max_length= MAX_TIME_WIDTH * MY_CHARSET_BIN_MB_MAXLEN;
+        break;
+      default:
+        cached_timestamp_type= MYSQL_TIMESTAMP_DATETIME;
+        cached_field_type= MYSQL_TYPE_DATETIME; 
+        break;
+      }
     }
   }
 }
 
+
 bool Item_func_str_to_date::get_date(MYSQL_TIME *ltime, uint fuzzy_date)
 {
   DATE_TIME_FORMAT date_time_format;