Bug #23279858: MYSQLD GOT SIGNAL 11 ON SIMPLE SELECT

Sreeharsha Ramanavarapu · Sreeharsha Ramanavarapu · commit 115f08284df1 · 2016-05-24T07:44:21.000+05:30
NAME_CONST QUERY

ISSUE:
------
Using NAME_CONST with a non-constant negated expression as
value can result in incorrect behavior.

SOLUTION:
---------
The problem can be avoided by checking whether the argument
is a constant value.

The fix is a backport of Bug#12735545.
diff --git a/mysql-test/r/func_misc.result b/mysql-test/r/func_misc.result
@@ -403,3 +403,10 @@ DROP TABLE t1;
 #
 # End of tests
 #
+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+SELECT NAME_CONST('a', -(1 AND 2)) OR 1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+SELECT NAME_CONST('a', -(1)) OR 1;
+NAME_CONST('a', -(1)) OR 1
+1
diff --git a/mysql-test/t/func_misc.test b/mysql-test/t/func_misc.test
@@ -544,3 +544,13 @@ DROP TABLE t1;
 --echo #
 --echo # End of tests
 --echo #
+
+#
+# Bug#12735545 - PARSER STACK OVERFLOW WITH NAME_CONST
+#                CONTAINING OR EXPRESSION
+#
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('a', -(1 AND 2)) OR 1;
+SELECT NAME_CONST('a', -(1)) OR 1;
diff --git a/sql/item.cc b/sql/item.cc
@@ -1358,15 +1358,20 @@ bool Item_name_const::is_null()
 Item_name_const::Item_name_const(Item *name_arg, Item *val):
     value_item(val), name_item(name_arg)
 {
+  /*
+    The value argument to NAME_CONST can only be a literal constant. Some extra
+    tests are needed to support a collation specificer and to handle negative
+    values.
+  */
   if (!(valid_args= name_item->basic_const_item() &&
                     (value_item->basic_const_item() ||
                      ((value_item->type() == FUNC_ITEM) &&
                       ((((Item_func *) value_item)->functype() ==
                          Item_func::COLLATE_FUNC) ||
                       ((((Item_func *) value_item)->functype() ==
                          Item_func::NEG_FUNC) &&
-                      (((Item_func *) value_item)->key_item()->type() !=
-                         FUNC_ITEM)))))))
+                      (((Item_func *)
+                        value_item)->key_item()->basic_const_item())))))))
     my_error(ER_WRONG_ARGUMENTS, MYF(0), "NAME_CONST");
   Item::maybe_null= TRUE;
 }

Original file line number	Diff line number	Diff line change
`@@ -403,3 +403,10 @@ DROP TABLE t1;`
`403`	`403`	`#`
`404`	`404`	`# End of tests`
`405`	`405`	`#`
	`406`	`+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;`
	`407`	`+ERROR HY000: Incorrect arguments to NAME_CONST`
	`408`	`+SELECT NAME_CONST('a', -(1 AND 2)) OR 1;`
	`409`	`+ERROR HY000: Incorrect arguments to NAME_CONST`
	`410`	`+SELECT NAME_CONST('a', -(1)) OR 1;`
	`411`	`+NAME_CONST('a', -(1)) OR 1`
	`412`	`+1`