From 2264b644735e869fdbb16397c75170d86e2de127 Mon Sep 17 00:00:00 2001
From: unknown <evgen@moonbone.local>
Date: Mon, 29 May 2006 00:32:59 +0400
Subject: [PATCH 1/2] Fixed bug#19225: unchecked error results in server crash

In multi-table delete a table for delete can't be used for selecting in
subselects. Appropriate error was raised but wasn't checked which leads to a
crash at the execution phase.

The mysql_execute_command() now checks for errors before executing select
for multi-delete.


mysql-test/t/multi_update.test:
  Added test case for bug#19225: unchecked error results in server crash
mysql-test/r/multi_update.result:
  Added test case for bug#19225: unchecked error results in server crash
sql/sql_parse.cc:
  Fixed bug#19225: unchecked error results in server crash
  The mysql_execute_command() now checks for errors before executing select for multi-delete.
---
 mysql-test/r/multi_update.result | 5 +++++
 mysql-test/t/multi_update.test   | 8 ++++++++
 sql/sql_parse.cc                 | 4 ++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/mysql-test/r/multi_update.result b/mysql-test/r/multi_update.result
index dba10296063..ee62bd3bce6 100644
--- a/mysql-test/r/multi_update.result
+++ b/mysql-test/r/multi_update.result
@@ -475,3 +475,8 @@ aclid bigint, index idx_acl(aclid)
 insert into t2 values(1,null);
 delete t2, t1 from t2 left join t1 on (t2.aclid=t1.aclid) where t2.refid='1';
 drop table t1, t2;
+create table t1(a int);
+create table t2(a int);
+delete from t1,t2 using t1,t2 where t1.a=(select a from t1);
+ERROR HY000: You can't specify target table 't1' for update in FROM clause
+drop table t1, t2;
diff --git a/mysql-test/t/multi_update.test b/mysql-test/t/multi_update.test
index 27bdf4df3d7..e628e900c73 100644
--- a/mysql-test/t/multi_update.test
+++ b/mysql-test/t/multi_update.test
@@ -448,4 +448,12 @@ insert into t2 values(1,null);
 delete t2, t1 from t2 left join t1 on (t2.aclid=t1.aclid) where t2.refid='1';
 drop table t1, t2;
 
+#
+# Bug#19225: unchecked error leads to server crash
+#
+create table t1(a int);
+create table t2(a int);
+--error 1093
+delete from t1,t2 using t1,t2 where t1.a=(select a from t1);
+drop table t1, t2;
 # End of 4.1 tests
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 51ef3f31b26..06005f31198 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -3047,8 +3047,8 @@ unsent_create_error:
       }
     }
 
-    if (!thd->is_fatal_error && (result= new multi_delete(thd,aux_tables,
-							  table_count)))
+    if (!res && !thd->is_fatal_error &&
+        (result= new multi_delete(thd,aux_tables, table_count)))
     {
       res= mysql_select(thd, &select_lex->ref_pointer_array,
 			select_lex->get_table_list(),

From c007dabaf62b7ac7eb41e2460b12d652b132bb7f Mon Sep 17 00:00:00 2001
From: unknown <evgen@moonbone.local>
Date: Tue, 30 May 2006 00:36:48 +0400
Subject: [PATCH 2/2] Fixed bug#18360: Incorrect type coercion in IN() results
 in false comparison

The IN() function uses agg_cmp_type() to aggregate all types of its arguments
to find out some common type for comparisons. In this particular case the
char() and the int was aggregated to double because char() can contain values
like '1.5'. But all strings which do not start from a digit are converted to
0. thus 'a' and 'z' become equal.
This behaviour is reasonable when all function arguments are constants. But
when there is a field or an expression this can lead to false comparisons. In
this case it makes more sense to coerce constants to the type of the field
argument.

The agg_cmp_type() function now aggregates types of constant and non-constant
items separately. If some non-constant items will be found then their
aggregated type will be returned. Thus after the aggregation constants will be
coerced to the aggregated type.


mysql-test/t/func_in.test:
  Added test case for bug#18360: Incorrect type coercion in IN() results in false comparison.
mysql-test/r/func_in.result:
  Added test case for bug#18360: Incorrect type coercion in IN() results in false comparison.
sql/item_cmpfunc.cc:
  Fixed bug#18360: Incorrect type coercion in IN() results in false comparison.
  The agg_cmp_type() function now aggregates types of constant and non-constant
  items separately. If some non-constant items will be found then their
  aggregated type will be returned. Thus after the aggregation constants will
  be coerced to the aggregated type.
---
 mysql-test/r/func_in.result | 21 +++++++++++++++++++++
 mysql-test/t/func_in.test   | 12 ++++++++++++
 sql/item_cmpfunc.cc         | 37 +++++++++++++++++++++++++++++++++++--
 3 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/mysql-test/r/func_in.result b/mysql-test/r/func_in.result
index 3cf2afc83d1..0632dddb87e 100644
--- a/mysql-test/r/func_in.result
+++ b/mysql-test/r/func_in.result
@@ -202,3 +202,24 @@ select count(*) from t1 where id not in (1,2);
 count(*)
 1
 drop table t1;
+create table t1 (f1 char(1), f2 int);
+insert into t1 values (1,0),('a',1),('z',2);
+select f1 from t1 where f1 in (1,'z');
+f1
+1
+z
+select f2 from t1 where f2 in (1,'z');
+f2
+0
+1
+select f1 from t1 where 'z' in (1,f1);
+f1
+z
+select * from t1 where 'z' in (f2,f1);
+f1	f2
+z	2
+select * from t1 where 1 in (f2,f1);
+f1	f2
+1	0
+a	1
+drop table t1;
diff --git a/mysql-test/t/func_in.test b/mysql-test/t/func_in.test
index 2ffe5a2d5f7..3481f2c7b11 100644
--- a/mysql-test/t/func_in.test
+++ b/mysql-test/t/func_in.test
@@ -109,4 +109,16 @@ select count(*) from t1 where id not in (1);
 select count(*) from t1 where id not in (1,2);
 drop table t1;
 
+#
+# Bug#18360 Incorrect type coercion in IN() results in false comparison
+#
+create table t1 (f1 char(1), f2 int);
+insert into t1 values (1,0),('a',1),('z',2);
+select f1 from t1 where f1 in (1,'z');
+select f2 from t1 where f2 in (1,'z');
+select f1 from t1 where 'z' in (1,f1);
+select * from t1 where 'z' in (f2,f1);
+select * from t1 where 1 in (f2,f1);
+drop table t1;
+
 # End of 4.1 tests
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index 3c41fb56d89..bfbb3355004 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -58,12 +58,45 @@ static void agg_result_type(Item_result *type, Item **items, uint nitems)
   }
 }
 
+
+/*
+  Aggregates result types from the array of items.
+
+  SYNOPSIS:
+    agg_cmp_type()
+    type   [out] the aggregated type
+    items        array of items to aggregate the type from
+    nitems       number of items in the array
+
+  DESCRIPTION
+    This function aggregates result types from the array of items. Found type
+    supposed to be used later for comparison of values of these items.
+    Aggregation itself is performed by the item_cmp_type() function.
+
+  NOTES
+    Aggregation rules:
+    If all items are constants the type will be aggregated from all items.
+    If there are some non-constant items then only types of non-constant
+    items will be used for aggregation.
+*/
 static void agg_cmp_type(Item_result *type, Item **items, uint nitems)
 {
   uint i;
   type[0]= items[0]->result_type();
-  for (i=1 ; i < nitems ; i++)
-    type[0]= item_cmp_type(type[0], items[i]->result_type());
+  /* Reset to 0 on first occurence of non-const item. 1 otherwise */
+  bool is_const= items[0]->const_item();
+
+  for (i= 1 ; i < nitems ; i++)
+  {
+    if (!items[i]->const_item())
+    {
+      type[0]= is_const ? items[i]->result_type() :
+                 item_cmp_type(type[0], items[i]->result_type());
+      is_const= 0;
+    }
+    else if (is_const)
+      type[0]= item_cmp_type(type[0], items[i]->result_type());
+  }
 }
 
 static void my_coll_agg_error(DTCollation &c1, DTCollation &c2,