Bug #48291 : crash with row() operator,select into @var, and

  subquery returning multiple rows

Error handling was missing when handling subqueires in WHERE 
and when assigning a SELECT result to a @variable.
This caused crash(es). 

Fixed by adding error handling code to both the WHERE 
condition evaluation and to assignment to an @variable.

4 files changed, 45 insertions, 3 deletions

diff --git a/mysql-test/r/select.result b/mysql-test/r/select.result
index 4bb62fbfa70..5d07c97149f 100644
--- a/mysql-test/r/select.result
+++ b/mysql-test/r/select.result
@@ -4430,4 +4430,16 @@ SELECT 1 FROM t1 NATURAL LEFT JOIN t1 AS t2 FORCE INDEX(a);
 1
 1
 DROP TABLE t1;
+#
+# Bug #48291 : crash with row() operator,select into @var, and 
+#   subquery returning multiple rows
+#
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES (2),(3);
+# Should not crash
+SELECT 1 FROM t1 WHERE a <> 1 AND NOT
+ROW(a,a) <=> ROW((SELECT 1 FROM t1 WHERE 1=2),(SELECT 1 FROM t1))
+INTO @var0;
+ERROR 21000: Subquery returns more than 1 row
+DROP TABLE t1;
 End of 5.0 tests
diff --git a/mysql-test/t/select.test b/mysql-test/t/select.test
index d57163dfef6..ceb67215614 100644
--- a/mysql-test/t/select.test
+++ b/mysql-test/t/select.test
@@ -3766,5 +3766,22 @@ EXPLAIN SELECT 1 FROM t1 NATURAL LEFT JOIN t1 AS t2 FORCE INDEX(a);
 SELECT 1 FROM t1 NATURAL LEFT JOIN t1 AS t2 FORCE INDEX(a);
 DROP TABLE t1;
 
+
+--echo #
+--echo # Bug #48291 : crash with row() operator,select into @var, and 
+--echo #   subquery returning multiple rows
+--echo #
+
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES (2),(3);
+
+--echo # Should not crash
+--error ER_SUBQUERY_NO_1_ROW
+SELECT 1 FROM t1 WHERE a <> 1 AND NOT
+ROW(a,a) <=> ROW((SELECT 1 FROM t1 WHERE 1=2),(SELECT 1 FROM t1))
+INTO @var0;
+
+DROP TABLE t1;
  
+
 --echo End of 5.0 tests
diff --git a/sql/sql_class.cc b/sql/sql_class.cc
index 7d26759cb16..06f2229a050 100644
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -2068,9 +2068,11 @@ bool select_dumpvar::send_data(List<Item> &items)
     else
     {
       Item_func_set_user_var *suv= new Item_func_set_user_var(mv->s, item);
-      suv->fix_fields(thd, 0);
+      if (suv->fix_fields(thd, 0))
+        DBUG_RETURN (1);
       suv->save_item_result(item);
-      suv->update();
+      if (suv->update())
+        DBUG_RETURN (1);
     }
   }
   DBUG_RETURN(0);
diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index c425d9a988e..d5c2b93dfb4 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -10822,6 +10822,7 @@ evaluate_join_record(JOIN *join, JOIN_TAB *join_tab,
   bool not_used_in_distinct=join_tab->not_used_in_distinct;
   ha_rows found_records=join->found_records;
   COND *select_cond= join_tab->select_cond;
+  bool select_cond_result= TRUE;
 
   if (error > 0 || (*report_error))				// Fatal error
     return NESTED_LOOP_ERROR;
@@ -10833,7 +10834,17 @@ evaluate_join_record(JOIN *join, JOIN_TAB *join_tab,
     return NESTED_LOOP_KILLED;               /* purecov: inspected */
   }
   DBUG_PRINT("info", ("select cond 0x%lx", (ulong)select_cond));
-  if (!select_cond || select_cond->val_int())
+
+  if (select_cond)
+  {
+    select_cond_result= test(select_cond->val_int());
+
+    /* check for errors evaluating the condition */
+    if (join->thd->net.report_error)
+      return NESTED_LOOP_ERROR;
+  }
+
+  if (!select_cond || select_cond_result)
   {
     /*
       There is no select condition or the attached pushed down