From cc7a75e6fdf5f4253c550ee3d5d93c46b96f5678 Mon Sep 17 00:00:00 2001
From: unknown <evgen@moonbone.local>
Date: Fri, 3 Mar 2006 16:19:57 +0300
Subject: [PATCH 1/2] Fixed bug#17726: Not checked empty list caused endless
 loop

When the Item_cond::fix_fields() function reduces cond tree, it in loop
scans it's own list and when it founds Item_cond with same function (AND
or OR) it does next things: 1) replaces that item with item's list. 2)
empties item's list. Due to this operation is done twice - for update and
for view, at the update phase cond's list of lower view is already empty.
Empty list returns ref to itself, thus making endless loop by replacing
list with itself, emptying, replacing again and so on. This results in
server hung up.

To the Item_cond::fix_fields() function added check that ensures that
list being replaced with isn't empty.


mysql-test/t/view.test:
  Added test for bug#17726: Not checked empty list caused endless loop
mysql-test/r/view.result:
  Added test for bug#17726: Not checked empty list caused endless loop
sql/item_cmpfunc.cc:
  Fixed bug#17726: Not checked empty list caused endless loop
  To the Item_cond::fix_fields() function added check that ensures that
  list being replaced with isn't empty.
---
 mysql-test/r/view.result | 14 ++++++++++++++
 mysql-test/t/view.test   | 14 ++++++++++++++
 sql/item_cmpfunc.cc      |  3 ++-
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/view.result b/mysql-test/r/view.result
index c9a79e50cc3..7678c70bda2 100644
--- a/mysql-test/r/view.result
+++ b/mysql-test/r/view.result
@@ -2539,3 +2539,17 @@ drop view v1;
 //
 View	Create View
 v1	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select sql_no_cache `test`.`t1`.`id` AS `id` from `t1`
+create table t1(f1 int, f2 int);
+create view v1 as select ta.f1 as a, tb.f1 as b from t1 ta, t1 tb where ta.f1=tb
+.f1 and ta.f2=tb.f2;
+insert into t1 values(1,1),(2,2);
+create view v2 as select * from v1 where a > 1 with check option;
+select * from v2;
+a	b
+2	2
+update v2 set b=3 where a=2;
+select * from v2;
+a	b
+3	3
+drop view v2, v1;
+drop table t1;
diff --git a/mysql-test/t/view.test b/mysql-test/t/view.test
index b7e678c6f77..e17e2b98527 100644
--- a/mysql-test/t/view.test
+++ b/mysql-test/t/view.test
@@ -2385,3 +2385,17 @@ show create view v1;
 drop view v1;
 //
 delimiter ;//
+
+#
+# Bug#17726 Not checked empty list caused endless loop
+#
+create table t1(f1 int, f2 int);
+create view v1 as select ta.f1 as a, tb.f1 as b from t1 ta, t1 tb where ta.f1=tb
+.f1 and ta.f2=tb.f2;
+insert into t1 values(1,1),(2,2);
+create view v2 as select * from v1 where a > 1 with check option;
+select * from v2;
+update v2 set b=3 where a=2;
+select * from v2;
+drop view v2, v1;
+drop table t1;
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index 7ba8a536ac7..4cd460cfeb0 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -2553,7 +2553,8 @@ Item_cond::fix_fields(THD *thd, Item **ref)
   {
     table_map tmp_table_map;
     while (item->type() == Item::COND_ITEM &&
-	   ((Item_cond*) item)->functype() == functype())
+	   ((Item_cond*) item)->functype() == functype() &&
+           !((Item_cond*) item)->list.is_empty())
     {						// Identical function
       li.replace(((Item_cond*) item)->list);
       ((Item_cond*) item)->list.empty();

From 85d705b651cf9057f2d687294044f173880675c3 Mon Sep 17 00:00:00 2001
From: unknown <brian@zim.(none)>
Date: Thu, 9 Mar 2006 10:09:52 -0800
Subject: [PATCH 2/2] Porting fix that allows others to include compiled code
 with different parsers.

Makes you wonder what I am up to, doesn't?


configure.in:
  Adjusts bison to not create symbols that clash.
sql/sql_analyse.cc:
  Adding define to make sure sql_yacc.h gets included.
sql/sql_lex.cc:
  Fixing it so that sql_yacc.h is included
sql/sql_lex.h:
  Fixing include rules
sql/sql_parse.cc:
  Adding flag to compile sql_yacc.yy
---
 configure.in       | 2 +-
 sql/sql_analyse.cc | 2 ++
 sql/sql_lex.cc     | 1 +
 sql/sql_lex.h      | 4 ++++
 sql/sql_parse.cc   | 1 +
 5 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/configure.in b/configure.in
index 4e630de13d2..4ff90bb39bb 100644
--- a/configure.in
+++ b/configure.in
@@ -236,7 +236,7 @@ AC_PROG_INSTALL
 test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
 
 # Not critical since the generated file is distributed
-AC_PROG_YACC
+AC_CHECK_PROGS(YACC, ['bison -y -p MYSQL'])
 AC_CHECK_PROG(PDFMANUAL, pdftex, manual.pdf)
 AC_CHECK_PROG(DVIS,      tex,    manual.dvi)
 
diff --git a/sql/sql_analyse.cc b/sql/sql_analyse.cc
index 0e4198a5114..af9246c673a 100644
--- a/sql/sql_analyse.cc
+++ b/sql/sql_analyse.cc
@@ -27,6 +27,8 @@
 #pragma implementation				// gcc: Class implementation
 #endif
 
+#define MYSQL_LEX 1
+
 #include "mysql_priv.h"
 #include "procedure.h"
 #include "sql_analyse.h"
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index 49b0c70ff03..110c82f6926 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -17,6 +17,7 @@
 
 /* A lexical scanner on a temporary buffer with a yacc interface */
 
+#define MYSQL_LEX 1
 #include "mysql_priv.h"
 #include "item_create.h"
 #include <m_ctype.h>
diff --git a/sql/sql_lex.h b/sql/sql_lex.h
index 8db059ae2fa..8bacc60d48d 100644
--- a/sql/sql_lex.h
+++ b/sql/sql_lex.h
@@ -37,8 +37,12 @@ class sp_pcontext;
 #define LEX_YYSTYPE void *
 #else
 #include "lex_symbol.h"
+#if MYSQL_LEX
 #include "sql_yacc.h"
 #define LEX_YYSTYPE YYSTYPE *
+#else
+#define LEX_YYSTYPE void *
+#endif
 #endif
 
 /*
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 527a6a67811..ea559c70734 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -14,6 +14,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA */
 
+#define MYSQL_LEX 1
 #include "mysql_priv.h"
 #include "sql_repl.h"
 #include "repl_failsafe.h"