MDEV-20200: AddressSanitizer: use-after-poison in Item_direct_view_ref::get_null_ref_table

Do not cast wrong type.

MDEV-20200: AddressSanitizer: use-after-poison in Item_direct_view_ref::get_null_ref_table
Do not cast wrong type.
ccaaa3d2 · Oleksandr Byelkin · 83d368a0 · ccaaa3d2 · ccaaa3d2 · ccaaa3d2
Commit ccaaa3d2 authored Jul 29, 2019 by Oleksandr Byelkin
Showing with 51 additions and 18 deletions

mysql-test/main/having.result mysql-test/main/having.result +9 -0

mysql-test/main/having.test mysql-test/main/having.test +13 -0

sql/sql_select.cc sql/sql_select.cc +29 -18

No files found.
--- a/mysql-test/main/having.result
+++ b/mysql-test/main/having.result
@@ -864,4 +864,13 @@ x
 Warnings:
 Warning	1292	Truncated incorrect DOUBLE value: 'x'
 DROP TABLE t1,t2;
+#
+# MDEV-20200: AddressSanitizer: use-after-poison in
+# Item_direct_view_ref::get_null_ref_table
+#
+CREATE TABLE t (f VARCHAR(512));
+INSERT INTO t VALUES ('a'),('b');
+SELECT * FROM t HAVING f = 'foo';
+f
+DROP TABLE t;
 # End of 10.4 tests
--- a/mysql-test/main/having.test
+++ b/mysql-test/main/having.test
@@ -909,4 +909,17 @@ HAVING t.f != 112 AND t.f = 'x' AND t.f != 'a';
 DROP TABLE t1,t2;
+--echo #
+--echo # MDEV-20200: AddressSanitizer: use-after-poison in
+--echo # Item_direct_view_ref::get_null_ref_table
+--echo #
+CREATE TABLE t (f VARCHAR(512));
+INSERT INTO t VALUES ('a'),('b');
+SELECT * FROM t HAVING f = 'foo';
+# Cleanup
+DROP TABLE t;
 --echo # End of 10.4 tests
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -14333,27 +14333,38 @@ bool check_simple_equality(THD *thd, const Item::Context &ctx,
 {
  Item *orig_left_item= left_item;
  Item *orig_right_item= right_item;
-  if (left_item->type() == Item::REF_ITEM &&
+  if (left_item->type() == Item::REF_ITEM)
-      (((Item_ref*)left_item)->ref_type() == Item_ref::VIEW_REF ||
-      ((Item_ref*)left_item)->ref_type() == Item_ref::REF))
  {
-    if (((Item_ref*)left_item)->get_depended_from())
+    Item_ref::Ref_Type left_ref= ((Item_ref*)left_item)->ref_type();
-      return FALSE;
-    if (((Item_direct_view_ref*)left_item)->get_null_ref_table() !=
+    if (left_ref == Item_ref::VIEW_REF ||
-        NO_NULL_TABLE && !left_item->real_item()->used_tables())
+        left_ref == Item_ref::REF)
-      return FALSE;
+    {
-    left_item= left_item->real_item();
+      if (((Item_ref*)left_item)->get_depended_from())
+        return FALSE;
+      if (left_ref == Item_ref::VIEW_REF &&
+          ((Item_direct_view_ref*)left_item)->get_null_ref_table() !=
+           NO_NULL_TABLE &&
+          !left_item->real_item()->used_tables())
+        return FALSE;
+      left_item= left_item->real_item();
+    }
  }
-  if (right_item->type() == Item::REF_ITEM &&
+  if (right_item->type() == Item::REF_ITEM)
-      (((Item_ref*)right_item)->ref_type() == Item_ref::VIEW_REF ||
-      ((Item_ref*)right_item)->ref_type() == Item_ref::REF))
  {
-    if (((Item_ref*)right_item)->get_depended_from())
+    Item_ref::Ref_Type right_ref= ((Item_ref*)right_item)->ref_type();
-      return FALSE;
+    if (right_ref == Item_ref::VIEW_REF ||
-    if (((Item_direct_view_ref*)right_item)->get_null_ref_table() !=
+       (right_ref == Item_ref::REF))
-        NO_NULL_TABLE && !right_item->real_item()->used_tables())
+    {
-      return FALSE;
+      if (((Item_ref*)right_item)->get_depended_from())
-    right_item= right_item->real_item();
+        return FALSE;
+      if (right_ref == Item_ref::VIEW_REF &&
+          ((Item_direct_view_ref*)right_item)->get_null_ref_table() !=
+           NO_NULL_TABLE &&
+          !right_item->real_item()->used_tables())
+        return FALSE;
+      right_item= right_item->real_item();
+    }
  }
  if (left_item->type() == Item::FIELD_ITEM &&
      right_item->type() == Item::FIELD_ITEM &&