Commit 0a29baba authored by Sergey Glukhov's avatar Sergey Glukhov

Fix for bug #54575: crash when joining tables with unique set column(backport from 5.1)

Problem: a flaw (derefencing a NULL pointer) in the LIKE optimization
code may lead to a server crash in some rare cases.

Fix: check the pointer before its dereferencing.


mysql-test/r/func_like.result:
  Fix for bug #54575: crash when joining tables with unique set column
    - test result.
mysql-test/t/func_like.test:
  Fix for bug #54575: crash when joining tables with unique set column
    - test case.
sql/item_cmpfunc.cc:
  Fix for bug #54575: crash when joining tables with unique set column
  - check res2 buffer pointer before its dereferencing 
    as it may be NULL in some cases.
parent 33ec6f80
......@@ -165,3 +165,17 @@ select 'andre%' like 'andre
select _cp1251'andre%' like convert('andre%' using cp1251) escape '';
_cp1251'andre%' like convert('andre%' using cp1251) escape ''
1
End of 4.1 tests
#
# Bug #54575: crash when joining tables with unique set column
#
CREATE TABLE t1(a SET('a') NOT NULL, UNIQUE KEY(a));
CREATE TABLE t2(b INT PRIMARY KEY);
INSERT INTO t1 VALUES ();
Warnings:
Warning 1364 Field 'a' doesn't have a default value
INSERT INTO t2 VALUES (1), (2), (3);
SELECT 1 FROM t2 JOIN t1 ON 1 LIKE a GROUP BY a;
1
DROP TABLE t1, t2;
End of 5.1 tests
......@@ -112,5 +112,19 @@ select 'andre%' like 'andre
#
select _cp1251'andre%' like convert('andre%' using cp1251) escape '';
#
# End of 4.1 tests
--echo End of 4.1 tests
--echo #
--echo # Bug #54575: crash when joining tables with unique set column
--echo #
CREATE TABLE t1(a SET('a') NOT NULL, UNIQUE KEY(a));
CREATE TABLE t2(b INT PRIMARY KEY);
INSERT INTO t1 VALUES ();
INSERT INTO t2 VALUES (1), (2), (3);
SELECT 1 FROM t2 JOIN t1 ON 1 LIKE a GROUP BY a;
DROP TABLE t1, t2;
--echo End of 5.1 tests
......@@ -4220,13 +4220,14 @@ Item_func::optimize_type Item_func_like::select_optimize() const
if (args[1]->const_item())
{
String* res2= args[1]->val_str((String *)&tmp_value2);
const char *ptr2;
if (!res2)
if (!res2 || !(ptr2= res2->ptr()))
return OPTIMIZE_NONE;
if (*res2->ptr() != wild_many)
if (*ptr2 != wild_many)
{
if (args[0]->result_type() != STRING_RESULT || *res2->ptr() != wild_one)
if (args[0]->result_type() != STRING_RESULT || *ptr2 != wild_one)
return OPTIMIZE_OP;
}
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment