Bug #23279858: MYSQLD GOT SIGNAL 11 ON SIMPLE SELECT

NAME_CONST QUERY ISSUE: ------ Using NAME_CONST with a non-constant negated expression as value can result in incorrect behavior. SOLUTION: --------- The problem can be avoided by checking whether the argument is a constant value. The fix is a backport of Bug#12735545.

Bug #23279858: MYSQLD GOT SIGNAL 11 ON SIMPLE SELECT
NAME_CONST QUERY ISSUE: ------ Using NAME_CONST with a non-constant negated expression as value can result in incorrect behavior. SOLUTION: --------- The problem can be avoided by checking whether the argument is a constant value. The fix is a backport of Bug#12735545.
115f0828 · Sreeharsha Ramanavarapu · 4de9d9c2 · 115f0828 · 115f0828 · 115f0828
Commit 115f0828 authored May 24, 2016 by Sreeharsha Ramanavarapu
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 2 deletions

mysql-test/r/func_misc.result mysql-test/r/func_misc.result +7 -0

mysql-test/t/func_misc.test mysql-test/t/func_misc.test +10 -0

sql/item.cc sql/item.cc +7 -2

No files found.
--- a/mysql-test/r/func_misc.result
+++ b/mysql-test/r/func_misc.result
@@ -403,3 +403,10 @@ DROP TABLE t1;
 #
 # End of tests
 #
+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+SELECT NAME_CONST('a', -(1 AND 2)) OR 1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+SELECT NAME_CONST('a', -(1)) OR 1;
+NAME_CONST('a', -(1)) OR 1
+1
--- a/mysql-test/t/func_misc.test
+++ b/mysql-test/t/func_misc.test
@@ -544,3 +544,13 @@ DROP TABLE t1;
 --echo #
 --echo # End of tests
 --echo #
+
+#
+# Bug#12735545 - PARSER STACK OVERFLOW WITH NAME_CONST
+#                CONTAINING OR EXPRESSION
+#
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('a', -(1 AND 2)) OR 1;
+SELECT NAME_CONST('a', -(1)) OR 1;
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -1358,6 +1358,11 @@ bool Item_name_const::is_null()
 Item_name_const::Item_name_const(Item *name_arg, Item *val):
    value_item(val), name_item(name_arg)
 {
+  /*
+    The value argument to NAME_CONST can only be a literal constant. Some extra
+    tests are needed to support a collation specificer and to handle negative
+    values.
+  */
  if (!(valid_args= name_item->basic_const_item() &&
                    (value_item->basic_const_item() ||
                     ((value_item->type() == FUNC_ITEM) &&
@@ -1365,8 +1370,8 @@ Item_name_const::Item_name_const(Item *name_arg, Item *val):
                         Item_func::COLLATE_FUNC) ||
                      ((((Item_func *) value_item)->functype() ==
                         Item_func::NEG_FUNC) &&
-                      (((Item_func *) value_item)->key_item()->type() !=
-                         FUNC_ITEM)))))))
+                      (((Item_func *)
+                        value_item)->key_item()->basic_const_item())))))))
    my_error(ER_WRONG_ARGUMENTS, MYF(0), "NAME_CONST");
  Item::maybe_null= TRUE;
 }