From c5975eaea174460e774e77717e972a8d32e6c8de Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Wed, 12 Jul 2017 08:05:42 +0200 Subject: [PATCH] MDEV-7339 Server crashes in Item_func_trig_cond::val_int Item_in_subselect::pushed_cond_guards[] array is allocated only when left_expr->maybe_null. And it is used (for row expressions) when left_expr->element_index(i)->maybe_null. For left_expr being a multi-column subquery, its maybe_null is always false when the subquery doesn't use tables (see Item_singlerow_subselect::fix_length_and_dec() and subselect_single_select_engine::fix_length_and_dec()), otherwise it's always true. But row elements can be NULL regardless, so let's always allocate pushed_cond_guards for multi-column subqueries, no matter whether its maybe_null was forced to true or false. --- mysql-test/r/subselect_nulls.result | 6 ++++++ mysql-test/t/subselect_nulls.test | 6 ++++++ sql/item_subselect.cc | 3 ++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/subselect_nulls.result b/mysql-test/r/subselect_nulls.result index 584c184870d..08982371269 100644 --- a/mysql-test/r/subselect_nulls.result +++ b/mysql-test/r/subselect_nulls.result @@ -115,3 +115,9 @@ k d1 d2 set optimizer_switch= @tmp_subselect_nulls; drop table x1; drop table x2; +select (select 1, 2) in (select 3, 4); +(select 1, 2) in (select 3, 4) +0 +select (select NULL, NULL) in (select 3, 4); +(select NULL, NULL) in (select 3, 4) +NULL diff --git a/mysql-test/t/subselect_nulls.test b/mysql-test/t/subselect_nulls.test index 4b08e773b17..3e7b2189ed5 100644 --- a/mysql-test/t/subselect_nulls.test +++ b/mysql-test/t/subselect_nulls.test @@ -97,3 +97,9 @@ set optimizer_switch= @tmp_subselect_nulls; drop table x1; drop table x2; + +# +# MDEV-7339 Server crashes in Item_func_trig_cond::val_int +# +select (select 1, 2) in (select 3, 4); +select (select NULL, NULL) in (select 3, 4); diff --git a/sql/item_subselect.cc b/sql/item_subselect.cc index e0da946d190..068f32c99b9 100644 --- a/sql/item_subselect.cc +++ b/sql/item_subselect.cc @@ -2871,7 +2871,8 @@ bool Item_in_subselect::init_cond_guards() { DBUG_ASSERT(thd); uint cols_num= left_expr->cols(); - if (!abort_on_null && left_expr->maybe_null && !pushed_cond_guards) + if (!abort_on_null && !pushed_cond_guards && + (left_expr->maybe_null || cols_num > 1)) { if (!(pushed_cond_guards= (bool*)thd->alloc(sizeof(bool) * cols_num))) return TRUE;