Fixed bug#17366: Unchecked Item_int results in server crash

When there is conjunction of conds, the substitute_for_best_equal_field() will call the eliminate_item_equal() function in loop to build final expression. But if eliminate_item_equal() finds that some cond will always evaluate to 0, then that cond will be substituted by Item_int with value == 0. In this case on the next iteration eliminate_item_equal() will get that Item_int and treat it as Item_cond. This is leads to memory corruption and server crash on cleanup phase. To the eliminate_item_equal() function was added DBUG_ASSERT for checking that all items treaten as Item_cond are really Item_cond. The substitute_for_best_equal_field() now checks that if eliminate_item_equal() returns Item_int and it's value is 0 then this value is returned as the result of whole conjunction. mysql-test/t/subselect.test: Added test for bug#17366: Unchecked Item_int results in server crash mysql-test/r/subselect.result: Added test for bug#17366: Unchecked Item_int results in server crash sql/sql_select.cc: Fixed bug#17366: Unchecked Item_int results in server crash To the eliminate_item_equal() function was added DBUG_ASSERT for checking that all items treaten as Item_cond are really Item_cond. The substitute_for_best_equal_field() now checks that if eliminate_item_equal() returns something other than Item_cond and if it is then this value is returned as the result of whole conjunction.

Fixed bug#17366: Unchecked Item_int results in server crash
When there is conjunction of conds, the substitute_for_best_equal_field() will call the eliminate_item_equal() function in loop to build final expression. But if eliminate_item_equal() finds that some cond will always evaluate to 0, then that cond will be substituted by Item_int with value == 0. In this case on the next iteration eliminate_item_equal() will get that Item_int and treat it as Item_cond. This is leads to memory corruption and server crash on cleanup phase. To the eliminate_item_equal() function was added DBUG_ASSERT for checking that all items treaten as Item_cond are really Item_cond. The substitute_for_best_equal_field() now checks that if eliminate_item_equal() returns Item_int and it's value is 0 then this value is returned as the result of whole conjunction. mysql-test/t/subselect.test: Added test for bug#17366: Unchecked Item_int results in server crash mysql-test/r/subselect.result: Added test for bug#17366: Unchecked Item_int results in server crash sql/sql_select.cc: Fixed bug#17366: Unchecked Item_int results in server crash To the eliminate_item_equal() function was added DBUG_ASSERT for checking that all items treaten as Item_cond are really Item_cond. The substitute_for_best_equal_field() now checks that if eliminate_item_equal() returns something other than Item_cond and if it is then this value is returned as the result of whole conjunction.
8ba5a687 · unknown · 19ed1c4b · 8ba5a687 · 8ba5a687 · 8ba5a687
Commit 8ba5a687 authored Mar 13, 2006 by unknown
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

mysql-test/r/subselect.result mysql-test/r/subselect.result +7 -0

mysql-test/t/subselect.test mysql-test/t/subselect.test +7 -0

sql/sql_select.cc sql/sql_select.cc +8 -0

No files found.
--- a/mysql-test/r/subselect.result
+++ b/mysql-test/r/subselect.result
@@ -3157,3 +3157,10 @@ id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
 1	PRIMARY	t1	ALL	NULL	NULL	NULL	NULL	9	Using where
 2	DEPENDENT SUBQUERY	t1	index	NULL	a	8	NULL	9	Using filesort
 DROP TABLE t1;
+create table t1( f1 int,f2 int);
+insert into t1 values (1,1),(2,2);
+select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
+t
+crash1
+crash1
+drop table t1;
--- a/mysql-test/t/subselect.test
+++ b/mysql-test/t/subselect.test
@@ -2073,3 +2073,10 @@ SELECT * FROM t1 WHERE (a,b) = ANY (SELECT a, max(b) FROM t1 GROUP BY a);

 DROP TABLE t1;

+#
+# Bug#17366: Unchecked Item_int results in server crash
+#
+create table t1( f1 int,f2 int);
+insert into t1 values (1,1),(2,2);
+select tt.t from (select 'crash1' as t, f2 from t1) as tt left join t1 on tt.t = 'crash2' and tt.f2 = t1.f2 where tt.t = 'crash1';
+drop table t1;
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -7066,7 +7066,10 @@ static Item *eliminate_item_equal(COND *cond, COND_EQUAL *upper_levels,
  if (!cond)
    cond= new Item_cond_and(eq_list);
  else
+  {
+    DBUG_ASSERT(cond->type() == Item::COND_ITEM);
    ((Item_cond *) cond)->add_at_head(&eq_list);
+  }

  cond->quick_fix_field();
  cond->update_used_tables();
@@ -7151,6 +7154,11 @@ static COND* substitute_for_best_equal_field(COND *cond,
      while ((item_equal= it++))
      {
        cond= eliminate_item_equal(cond, cond_equal->upper_levels, item_equal);
+        // This occurs when eliminate_item_equal() founds that cond is
+        // always false and substitues it with Item_int 0.
+        // Due to this, value of item_equal will be 0, so just return it.
+        if (cond->type() != Item::ITEM_COND)
+          break;
      }
    }
  }