diff options
| author | Vladislav Vaintroub <wlad@mariadb.com> | 2021-10-12 10:17:52 +0200 |
|---|---|---|
| committer | Vladislav Vaintroub <wlad@mariadb.com> | 2021-10-14 12:13:05 +0200 |
| commit | a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e (patch) | |
| tree | df36849b93f70c2830cb8717df87809a06089fef | |
| parent | bc09362eb312eff5eb2203963d75f368fea3f4ad (diff) | |
| download | mariadb-git-a6cf8b34a834e5d16155f8bb3f33d57a4f87eb9e.tar.gz | |
MDEV-26806 Server crash in Charset::charset / Item_func_natural_sort_key::val_str
The reason for crash is that natural_sort_key(release_lock('a')) would
evaluate release_lock() twice, once in Item::is_null() and another time
in Item::val_str(). Second time it returns NULL, since lock was already
released.
Fixed to prevent double evaluation.
| -rw-r--r-- | mysql-test/main/natural_sort_key.result | 6 | ||||
| -rw-r--r-- | mysql-test/main/natural_sort_key.test | 5 | ||||
| -rw-r--r-- | sql/item_strfunc.cc | 4 |
3 files changed, 13 insertions, 2 deletions
diff --git a/mysql-test/main/natural_sort_key.result b/mysql-test/main/natural_sort_key.result index 46151dc8446..2b45addd1c6 100644 --- a/mysql-test/main/natural_sort_key.result +++ b/mysql-test/main/natural_sort_key.result @@ -206,3 +206,9 @@ drop table t; select natural_sort_key(_utf16 0x0031),natural_sort_key(_ucs2 0x0031), natural_sort_key(_utf32 0x00000031); natural_sort_key(_utf16 0x0031) natural_sort_key(_ucs2 0x0031) natural_sort_key(_utf32 0x00000031) 01 01 01 +select get_lock('a', 0); +get_lock('a', 0) +1 +select natural_sort_key(release_lock('a')); +natural_sort_key(release_lock('a')) +01 diff --git a/mysql-test/main/natural_sort_key.test b/mysql-test/main/natural_sort_key.test index fbd4e6e0172..811f937750c 100644 --- a/mysql-test/main/natural_sort_key.test +++ b/mysql-test/main/natural_sort_key.test @@ -95,3 +95,8 @@ drop table t; # MDEV-26796 Natural sort does not work for utf32/utf16/ucs2 select natural_sort_key(_utf16 0x0031),natural_sort_key(_ucs2 0x0031), natural_sort_key(_utf32 0x00000031); + +# MDEV-26806 Server crash in Charset::charset / Item_func_natural_sort_key::val_str +select get_lock('a', 0); +select natural_sort_key(release_lock('a')); + diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc index a13728295b8..0567501c97a 100644 --- a/sql/item_strfunc.cc +++ b/sql/item_strfunc.cc @@ -5638,13 +5638,13 @@ static NATSORT_ERR to_natsort_key(const String *in, String *out, String *Item_func_natural_sort_key::val_str(String *out) { - if (args[0]->is_null()) + String *in= args[0]->val_str(); + if (args[0]->null_value || !in) { null_value= true; return nullptr; } NATSORT_ERR err= NATSORT_ERR::SUCCESS; - String *in= args[0]->val_str(); CHARSET_INFO *cs= in->charset(); ulong max_allowed_packet= current_thd->variables.max_allowed_packet; uint errs; |