1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MDEV-10020 InnoDB NOT IN Query Crash When One Item Is NULL

Browse Source 
The problem was that the loop in get_func_mm_tree()
accessed improperly initialized instances of String,
which resided in the bzero'ed part of the in_vector::base array.

Strings in in_vector::base are originally initialized
in Item_func_in::fix_length_and_dec(),
in in_vector::in_vector() using sql_calloc,
rather than using a String constructor, so their str_charset
members are originally equal to NULL.

Strings in in_vector::base are later initialized
to good values in Item_func_in::fix_length_and_dec(),
using array->set(), in this code:

      uint j=0;
      for (uint i=1 ; i < arg_count ; i++)
      {
        array->set(j,args[i]);
        if (!args[i]->null_value)                      // Skip NULL values
          j++;
        else
          have_null= 1;
      }
      if ((array->used_count= j))
        array->sort();

NULLs are not taken into account, so at the end
array->used_count can be smaller than array->count.

This patch fixes the loop in opt_range.cc, in get_func_mm_tree(),
to access only properly initialized elements in in_vector::base,
preventing access to its bzero'ed non-initialized tail.
This commit is contained in:
Alexander Barkov 2016-06-20 14:11:01 +04:00
parent 70ad689b11
commit a80dbe068c
3 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
mysql-test/r/func_in.result
View File

@ -812,3 +812,22 @@ EXECUTE s;
1
DROP TABLE t1;
# End of 5.3 tests
#
# Start of 10.0 tests
#
#
# MDEV-10020 InnoDB NOT IN Query Crash When One Item Is NULL
#
CREATE TABLE t1
(
a INT(11),
b VARCHAR(10),
KEY (b)
);
INSERT INTO t1 VALUES (1,'x'),(2,'y'),(3,'z');
SELECT * FROM t1 WHERE b NOT IN (NULL, '', 'A');
a b
DROP TABLE t1;
#
# End of 10.0 tests
#

21
mysql-test/t/func_in.test
View File

@ -606,3 +606,24 @@ EXECUTE s;
DROP TABLE t1;
--echo # End of 5.3 tests
--echo #
--echo # Start of 10.0 tests
--echo #
--echo #
--echo # MDEV-10020 InnoDB NOT IN Query Crash When One Item Is NULL
--echo #
CREATE TABLE t1
(
a INT(11),
b VARCHAR(10),
KEY (b)
);
INSERT INTO t1 VALUES (1,'x'),(2,'y'),(3,'z');
SELECT * FROM t1 WHERE b NOT IN (NULL, '', 'A');
DROP TABLE t1;
--echo #
--echo # End of 10.0 tests
--echo #

2
sql/opt_range.cc
View File

@ -7730,7 +7730,7 @@ static SEL_TREE *get_func_mm_tree(RANGE_OPT_PARAM *param, Item_func *cond_func,
break;
}
SEL_TREE *tree2;
for (; i < func->array->count; i++)
for (; i < func->array->used_count; i++)
{
if (func->array->compare_elems(i, i-1))
{