Bug#13031606 VALUES() IN A SELECT STATEMENT CRASHES SERVER

Problem: Grouping results by VALUES(alias for string literal) causes the server to crash. Item_insert_values is not constructed to handle other types of arguments than field and reference to field. In this case, the argument is an Item_string, and this causes Item_insert_values::fix_fields() to crash. Fix: Issue an error message when the argument to Item_insert_values is not a field or a reference to a field. This is slightly in breach with documentation, which states that VALUES should return NULL, but the error message is only issued in cases where the server otherwise would crash, so there is no change in behavior for queries that already work. Future versions will restrict syntax so that using VALUES in this way is illegal. mysql-test/r/errors.result: Add test case for bug #13031606. mysql-test/t/errors.test: Add test case for bug #13031606. sql/item.cc: Issue error message if argument is not field or reference to field.
2012-03-12 08:56:56 +01:00 · 2012-03-12 08:56:56 +01:00 · ad031d5110
commit ad031d5110
parent c48233c61e
3 changed files with 36 additions and 12 deletions
--- a/mysql-test/r/errors.result
+++ b/mysql-test/r/errors.result
@ -55,3 +55,17 @@ Error	1054	Unknown column 'b' in 'field list'
 INSERT INTO t1 SELECT b FROM t1;
 ERROR 42S22: Unknown column 'b' in 'field list'
 DROP TABLE t1;
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2(a INT PRIMARY KEY, b INT);
+SELECT '' AS b FROM t1 GROUP BY VALUES(b);
+ERROR 42S22: Unknown column '' in 'VALUES() function'
+REPLACE t2(b) SELECT '' AS b FROM t1 GROUP BY VALUES(b);
+ERROR 42S22: Unknown column '' in 'VALUES() function'
+UPDATE t2 SET a=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
+ERROR 42S22: Unknown column '' in 'VALUES() function'
+INSERT INTO t2 VALUES (1,0) ON DUPLICATE KEY UPDATE
+b=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
+ERROR 42S22: Unknown column '' in 'VALUES() function'
+INSERT INTO t2(a,b) VALUES (1,0) ON DUPLICATE KEY UPDATE
+b=(SELECT VALUES(a)+2 FROM t1);
+DROP TABLE t1, t2;
--- a/mysql-test/t/errors.test
+++ b/mysql-test/t/errors.test
@ -67,3 +67,21 @@ SHOW ERRORS;
 INSERT INTO t1 SELECT b FROM t1;
 DROP TABLE t1;
 # End of 5.0 tests
+
+#
+# Bug #13031606 VALUES() IN A SELECT STATEMENT CRASHES SERVER
+#
+CREATE TABLE t1 (a INT);
+CREATE TABLE t2(a INT PRIMARY KEY, b INT);
+--error ER_BAD_FIELD_ERROR
+SELECT '' AS b FROM t1 GROUP BY VALUES(b);
+--error ER_BAD_FIELD_ERROR
+REPLACE t2(b) SELECT '' AS b FROM t1 GROUP BY VALUES(b);
+--error ER_BAD_FIELD_ERROR
+UPDATE t2 SET a=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
+--error ER_BAD_FIELD_ERROR
+INSERT INTO t2 VALUES (1,0) ON DUPLICATE KEY UPDATE
+  b=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
+INSERT INTO t2(a,b) VALUES (1,0) ON DUPLICATE KEY UPDATE
+  b=(SELECT VALUES(a)+2 FROM t1);
+DROP TABLE t1, t2;
--- a/sql/item.cc
+++ b/sql/item.cc
@ -6657,20 +6657,12 @@ bool Item_insert_value::fix_fields(THD *thd, Item **items)
  }

  if (arg->type() == REF_ITEM)
+    arg= static_cast<Item_ref *>(arg)->ref[0];
+  if (arg->type() != FIELD_ITEM)
  {
-    Item_ref *ref= (Item_ref *)arg;
-    if (ref->ref[0]->type() != FIELD_ITEM)
-    {
-      my_error(ER_BAD_FIELD_ERROR, MYF(0), "", "VALUES() function");
-      return TRUE;
-    }
-    arg= ref->ref[0];
+    my_error(ER_BAD_FIELD_ERROR, MYF(0), "", "VALUES() function");
+    return TRUE;
  }
-  /*
-    According to our SQL grammar, VALUES() function can reference
-    only to a column.
-  */
-  DBUG_ASSERT(arg->type() == FIELD_ITEM);

  Item_field *field_arg= (Item_field *)arg;