Commit 8fb7cbbe authored by unknown's avatar unknown

Fix bug #15268 Unchecked null value caused server crash

cmp_item_sort_string::cmp() wasn't checking values_res variable for null.
Later called function was dereferenced it and crashed server.

Added null check to cmp_item_sort_string::cmp().



sql/item_cmpfunc.h:
  Fix bug#15268  Unchecked null value caused server crash
  Added null check to cmp_item_sort_string::cmp().
mysql-test/t/select.test:
  Test case for bug#15268 Unchecked null value caused server crash
mysql-test/r/select.result:
  Test case for bug#15268 Unchecked null value caused server crash
parent 871806cf
...@@ -3337,3 +3337,11 @@ id select_type table type possible_keys key key_len ref rows Extra ...@@ -3337,3 +3337,11 @@ id select_type table type possible_keys key key_len ref rows Extra
1 SIMPLE t2 const PRIMARY PRIMARY 4 const 1 Using index 1 SIMPLE t2 const PRIMARY PRIMARY 4 const 1 Using index
1 SIMPLE t3 const PRIMARY PRIMARY 8 const,const 1 1 SIMPLE t3 const PRIMARY PRIMARY 8 const,const 1
DROP TABLE t1,t2,t3; DROP TABLE t1,t2,t3;
create table t1(f1 char, f2 char not null);
insert into t1 values(null,'a');
create table t2 (f2 char not null);
insert into t2 values('b');
select * from t1 left join t2 on f1=t2.f2 where t1.f2='a';
f1 f2 f2
NULL a NULL
drop table t1,t2;
...@@ -2805,3 +2805,13 @@ EXPLAIN SELECT t2.key_a,foo ...@@ -2805,3 +2805,13 @@ EXPLAIN SELECT t2.key_a,foo
WHERE t2.key_a=2 and key_b=5; WHERE t2.key_a=2 and key_b=5;
DROP TABLE t1,t2,t3; DROP TABLE t1,t2,t3;
#
# Bug#15268 Unchecked null value caused server crash
#
create table t1(f1 char, f2 char not null);
insert into t1 values(null,'a');
create table t2 (f2 char not null);
insert into t2 values('b');
select * from t1 left join t2 on f1=t2.f2 where t1.f2='a';
drop table t1,t2;
...@@ -723,9 +723,9 @@ class cmp_item_sort_string :public cmp_item_string ...@@ -723,9 +723,9 @@ class cmp_item_sort_string :public cmp_item_string
{ {
char buff[STRING_BUFFER_USUAL_SIZE]; char buff[STRING_BUFFER_USUAL_SIZE];
String tmp(buff, sizeof(buff), cmp_charset), *res; String tmp(buff, sizeof(buff), cmp_charset), *res;
if (!(res= arg->val_str(&tmp))) res= arg->val_str(&tmp);
return 1; /* Can't be right */ return (value_res ? (res ? sortcmp(value_res, res, cmp_charset) : 1) :
return sortcmp(value_res, res, cmp_charset); (res ? -1 : 0));
} }
int compare(cmp_item *c) int compare(cmp_item *c)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment