• unknown's avatar
    Fixed bug#17366: Unchecked Item_int results in server crash · 1da91c4a
    unknown authored
    When there is conjunction of conds, the substitute_for_best_equal_field()
    will call the eliminate_item_equal() function in loop to build final
    expression. But if eliminate_item_equal() finds that some cond will always
    evaluate to 0, then that cond will be substituted by Item_int with value ==
    0. In this case on the next iteration eliminate_item_equal() will get that 
    Item_int and treat it as Item_cond. This is leads to memory corruption and
    server crash on cleanup phase.
    
    To the eliminate_item_equal() function was added DBUG_ASSERT for checking
    that all items treaten as Item_cond are really Item_cond.
    The substitute_for_best_equal_field() now checks that if
    eliminate_item_equal() returns Item_int and it's value is 0 then this 
    value is returned as the result of whole conjunction.
    
    
    mysql-test/t/subselect.test:
      Added test for bug#17366: Unchecked Item_int results in server crash
    mysql-test/r/subselect.result:
       Added test for bug#17366: Unchecked Item_int results in server crash
    sql/sql_select.cc:
      Fixed bug#17366: Unchecked Item_int results in server crash
       
      To the eliminate_item_equal() function was added DBUG_ASSERT for checking
      that all items treaten as Item_cond are really Item_cond.
      The substitute_for_best_equal_field() now checks that if
      eliminate_item_equal() returns something other than Item_cond and if it is
      then this value is returned as the result of whole conjunction.
    1da91c4a
sql_select.cc 444 KB