From f7316aa0c9a3909fc7498e7b95d5d3af044a7e21 Mon Sep 17 00:00:00 2001 From: Ajo Robert Date: Thu, 24 Aug 2017 17:03:21 +0530 Subject: [PATCH] Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST, COL), NAME_CONST('NAME', NULL)) Backport of Bug#19143243 fix. NAME_CONST item can return NULL_ITEM type in case of incorrect arguments. NULL_ITEM has special processing in Item_func_in function. In Item_func_in::fix_length_and_dec an array of possible comparators is created. Since NAME_CONST function has NULL_ITEM type, corresponding array element is empty. Then NAME_CONST is wrapped to ITEM_CACHE. ITEM_CACHE can not return proper type(NULL_ITEM) in Item_func_in::val_int(), so the NULL_ITEM is attempted compared with an empty comparator. The fix is to disable the caching of Item_name_const item. --- sql/item.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sql/item.h b/sql/item.h index 8caa2bc5f9f..9f4e1d24424 100644 --- a/sql/item.h +++ b/sql/item.h @@ -1,7 +1,7 @@ #ifndef ITEM_INCLUDED #define ITEM_INCLUDED -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1552,6 +1552,12 @@ public: return TRUE; } + virtual bool cache_const_expr_analyzer(uchar **arg) + { + // Item_name_const always wraps a literal, so there is no need to cache it. + return false; + } + int save_in_field(Field *field, bool no_conversions) { return value_item->save_in_field(field, no_conversions);