From 0a29baba4bae36b947aba9001956f3c800f4205f Mon Sep 17 00:00:00 2001
From: Sergey Glukhov <sergey.glukhov@oracle.com>
Date: Mon, 8 Nov 2010 13:34:27 +0300
Subject: [PATCH] Fix for bug #54575: crash when joining tables with unique set
 column(backport from 5.1)

Problem: a flaw (derefencing a NULL pointer) in the LIKE optimization
code may lead to a server crash in some rare cases.

Fix: check the pointer before its dereferencing.


mysql-test/r/func_like.result:
  Fix for bug #54575: crash when joining tables with unique set column
    - test result.
mysql-test/t/func_like.test:
  Fix for bug #54575: crash when joining tables with unique set column
    - test case.
sql/item_cmpfunc.cc:
  Fix for bug #54575: crash when joining tables with unique set column
  - check res2 buffer pointer before its dereferencing
    as it may be NULL in some cases.
---
 mysql-test/r/func_like.result | 14 ++++++++++++++
 mysql-test/t/func_like.test   | 18 ++++++++++++++++--
 sql/item_cmpfunc.cc           |  7 ++++---
 3 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/mysql-test/r/func_like.result b/mysql-test/r/func_like.result
index 7e6fedb9403..f8743d6305f 100644
--- a/mysql-test/r/func_like.result
+++ b/mysql-test/r/func_like.result
@@ -165,3 +165,17 @@ select 'andre%' like 'andre
 select _cp1251'andre%' like convert('andreÊ%' using cp1251)  escape 'Ê';
 _cp1251'andre%' like convert('andreÊ%' using cp1251)  escape 'Ê'
 1
+End of 4.1 tests
+#
+# Bug #54575: crash when joining tables with unique set column
+#
+CREATE TABLE t1(a SET('a') NOT NULL, UNIQUE KEY(a));
+CREATE TABLE t2(b INT PRIMARY KEY);
+INSERT INTO t1 VALUES ();
+Warnings:
+Warning	1364	Field 'a' doesn't have a default value
+INSERT INTO t2 VALUES (1), (2), (3);
+SELECT 1 FROM t2 JOIN t1 ON 1 LIKE a GROUP BY a;
+1
+DROP TABLE t1, t2;
+End of 5.1 tests
diff --git a/mysql-test/t/func_like.test b/mysql-test/t/func_like.test
index 4e1183afeff..50ebb2b2782 100644
--- a/mysql-test/t/func_like.test
+++ b/mysql-test/t/func_like.test
@@ -112,5 +112,19 @@ select 'andre%' like 'andre
 #
 select _cp1251'andre%' like convert('andreÊ%' using cp1251)  escape 'Ê';
 
-#
-# End of 4.1 tests
+
+--echo End of 4.1 tests
+
+
+--echo #
+--echo # Bug #54575: crash when joining tables with unique set column
+--echo #
+CREATE TABLE t1(a SET('a') NOT NULL, UNIQUE KEY(a));
+CREATE TABLE t2(b INT PRIMARY KEY);
+INSERT INTO t1 VALUES ();
+INSERT INTO t2 VALUES (1), (2), (3);
+SELECT 1 FROM t2 JOIN t1 ON 1 LIKE a GROUP BY a;
+DROP TABLE t1, t2;
+
+
+--echo End of 5.1 tests
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index 5c2fb9857d5..4ae381af683 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -4220,13 +4220,14 @@ Item_func::optimize_type Item_func_like::select_optimize() const
   if (args[1]->const_item())
   {
     String* res2= args[1]->val_str((String *)&tmp_value2);
+    const char *ptr2;
 
-    if (!res2)
+    if (!res2 || !(ptr2= res2->ptr()))
       return OPTIMIZE_NONE;
 
-    if (*res2->ptr() != wild_many)
+    if (*ptr2 != wild_many)
     {
-      if (args[0]->result_type() != STRING_RESULT || *res2->ptr() != wild_one)
+      if (args[0]->result_type() != STRING_RESULT || *ptr2 != wild_one)
 	return OPTIMIZE_OP;
     }
   }