Bug #58900 query_get_value crashes when result begins with dollar sign

Generalized fix for recursive backtick Optional arg to eval_expr telling it not to interpret

Bug #58900 query_get_value crashes when result begins with dollar sign
Generalized fix for recursive backtick Optional arg to eval_expr telling it not to interpret
5376a76d · Bjorn Munch · f3bc9f69 · 5376a76d · 5376a76d · 5376a76d
Commit 5376a76d authored Jan 11, 2011 by Bjorn Munch
Showing with 18 additions and 4 deletions

client/mysqltest.cc client/mysqltest.cc +9 -4

mysql-test/r/mysqltest.result mysql-test/r/mysqltest.result +3 -0

mysql-test/t/mysqltest.test mysql-test/t/mysqltest.test +6 -0

No files found.
--- a/client/mysqltest.cc
+++ b/client/mysqltest.cc
@@ -474,7 +474,7 @@ VAR* var_init(VAR* v, const char *name, int name_len, const char *val,
 void var_free(void* v);
 VAR* var_get(const char *var_name, const char** var_name_end,
             my_bool raw, my_bool ignore_not_existing);
-void eval_expr(VAR* v, const char *p, const char** p_end, bool backtick= true);
+void eval_expr(VAR* v, const char *p, const char** p_end, bool do_eval= true);
 my_bool match_delimiter(int c, const char *delim, uint length);
 void dump_result_to_reject_file(char *buf, int size);
 void dump_warning_messages();
@@ -2371,7 +2371,7 @@ void var_set_query_get_value(struct st_command *command, VAR *var)
        break;
      }
    }
-    eval_expr(var, value, 0);
+    eval_expr(var, value, 0, false);
  }
  dynstr_free(&ds_query);
  mysql_free_result(res);
@@ -2401,12 +2401,16 @@ void var_copy(VAR *dest, VAR *src)
 }
-void eval_expr(VAR *v, const char *p, const char **p_end, bool backtick)
+void eval_expr(VAR *v, const char *p, const char **p_end, bool do_eval)
 {
  DBUG_ENTER("eval_expr");
  DBUG_PRINT("enter", ("p: '%s'", p));
+  /* Skip to treat as pure string if no evaluation */
+  if (! do_eval)
+    goto NO_EVAL;
  if (*p == '$')
  {
    VAR *vp;
@@ -2426,7 +2430,7 @@ void eval_expr(VAR *v, const char *p, const char **p_end, bool backtick)
    DBUG_VOID_RETURN;
  }
-  if (*p == '`' && backtick)
+  if (*p == '`')
  {
    var_query_set(v, p, p_end);
    DBUG_VOID_RETURN;
@@ -2449,6 +2453,7 @@ void eval_expr(VAR *v, const char *p, const char **p_end, bool backtick)
    }
  }
+ NO_EVAL:
  {
    int new_val_len = (p_end && *p_end) ?
      (int) (*p_end - p) : (int) strlen(p);

--- a/mysql-test/r/mysqltest.result
+++ b/mysql-test/r/mysqltest.result
@@ -311,6 +311,9 @@ failing query in let
 create table t1 (a varchar(100));
 insert into t1 values ('`select 42`');
 `select 42`
+insert into t1 values ('$dollar');
+$dollar
+`select 42`
 drop table t1;
 mysqltest: At line 1: Error running query 'failing query': 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'failing query' at line 1
 mysqltest: At line 1: Missing required argument 'filename' to command 'source'

--- a/mysql-test/t/mysqltest.test
+++ b/mysql-test/t/mysqltest.test
@@ -859,6 +859,12 @@ insert into t1 values ('`select 42`');
 let $a= `select * from t1`;
 # This should output `select 42`, not evaluate it again to 42
 echo $a;
+insert into t1 values ('$dollar');
+# These should also output the string without evaluating it.
+let $a= query_get_value(select * from t1 order by a, a, 1);
+echo $a;
+let $a= query_get_value(select * from t1 order by a, a, 2);
+echo $a;
 drop table t1;
 --error 1