From: Date: December 9 2005 5:08pm
Subject: bk commit into 5.0 tree (evgen:1.1982) BUG#15268
List-Archive: http://lists.mysql.com/internals/33191
X-Bug: 15268
Message-Id: <20051209160856.22FFC2BFE5@localhost.moonbone.local>

Below is the list of changes that have just been committed into a local
5.0 repository of evgen. When evgen does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet
  1.1982 05/12/09 19:08:51 evgen@stripped +3 -0
  Fix bug #15268 Unchecked null value caused server crash
  
  cmp_item_sort_string::cmp() wasn't checking values_res variable for null.
  Later called function was dereferenced it and crashed server.
  
  Added null check to cmp_item_sort_string::cmp().
  

  mysql-test/r/select.result
    1.115 05/12/09 19:07:53 evgen@stripped +8 -0
    Test case for bug#15268 Unchecked null value caused server crash

  mysql-test/t/select.test
    1.94 05/12/09 19:07:38 evgen@stripped +10 -0
    Test case for bug#15268 Unchecked null value caused server crash

  sql/item_cmpfunc.h
    1.117 05/12/09 19:05:54 evgen@stripped +2 -2
    Fix bug#15268  Unchecked null value caused server crash
    Added null check to cmp_item_sort_string::cmp().

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	evgen
# Host:	moonbone.local
# Root:	/work/15268-bug-5.0-mysql

--- 1.116/sql/item_cmpfunc.h	2005-10-21 05:01:31 +04:00
+++ 1.117/sql/item_cmpfunc.h	2005-12-09 19:05:54 +03:00
@@ -723,8 +723,8 @@
   {
     char buff[STRING_BUFFER_USUAL_SIZE];
     String tmp(buff, sizeof(buff), cmp_charset), *res;
-    if (!(res= arg->val_str(&tmp)))
-      return 1;				/* Can't be right */
+    if (!(res= arg->val_str(&tmp)) || !value_res)
+      return (res == value_res)?0:((res > value_res)?-1:1);
     return sortcmp(value_res, res, cmp_charset);
   }
   int compare(cmp_item *c)

--- 1.114/mysql-test/r/select.result	2005-11-26 05:51:39 +03:00
+++ 1.115/mysql-test/r/select.result	2005-12-09 19:07:53 +03:00
@@ -3337,3 +3337,11 @@
 1	SIMPLE	t2	const	PRIMARY	PRIMARY	4	const	1	Using index
 1	SIMPLE	t3	const	PRIMARY	PRIMARY	8	const,const	1	
 DROP TABLE t1,t2,t3;
+create table t1(f1 char, f2 char not null);
+insert into t1 values(null,'a');
+create table t2 (f2 char not null);
+insert into t2 values('b');
+select * from t1 left join t2 on f1=t2.f2 where t1.f2='a';
+f1	f2	f2
+NULL	a	NULL
+drop table t1,t2;

--- 1.93/mysql-test/t/select.test	2005-11-26 05:51:39 +03:00
+++ 1.94/mysql-test/t/select.test	2005-12-09 19:07:38 +03:00
@@ -2805,3 +2805,13 @@
     WHERE t2.key_a=2 and key_b=5;
 
 DROP TABLE t1,t2,t3;
+
+#
+# Bug#15268 Unchecked null value caused server crash
+#
+create table t1(f1 char, f2 char not null);
+insert into t1 values(null,'a');
+create table t2 (f2 char not null);
+insert into t2 values('b');
+select * from t1 left join t2 on f1=t2.f2 where t1.f2='a';
+drop table t1,t2;