3 files changed, 35 insertions, 6 deletions

diff --git a/mysql-test/main/sp.result b/mysql-test/main/sp.result
index a7faeaf2f0d..cf51ce96817 100644
--- a/mysql-test/main/sp.result
+++ b/mysql-test/main/sp.result
@@ -8913,3 +8913,15 @@ ERROR 42000: Incorrect usage/placement of 'HIGH_PRIORITY'
 #
 # End of 10.4 tests
 #
+#
+# MDEV-28129: MariaDB UAF issue at lex_end_nops(LEX*)
+#
+CREATE PROCEDURE sp() SELECT 1 INTO @;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
+CREATE PROCEDURE sp() SET @=1;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '=1' at line 1
+CREATE PROCEDURE sp() SELECT @;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
+#
+# End of 10.7 tests
+#
diff --git a/mysql-test/main/sp.test b/mysql-test/main/sp.test
index 058f42d5e92..d0d1ebf62b5 100644
--- a/mysql-test/main/sp.test
+++ b/mysql-test/main/sp.test
@@ -10484,3 +10484,20 @@ DELIMITER ;$$
 --echo #
 --echo # End of 10.4 tests
 --echo #
+
+--echo #
+--echo # MDEV-28129: MariaDB UAF issue at lex_end_nops(LEX*)
+--echo #
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE sp() SELECT 1 INTO @;
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE sp() SET @=1;
+
+--error ER_PARSE_ERROR
+CREATE PROCEDURE sp() SELECT @;
+
+--echo #
+--echo # End of 10.7 tests
+--echo #
diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index ef2a23bae6f..13a891d8622 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -3570,7 +3570,7 @@ simple_target_specification:
             if (!$2.length)
             {
               thd->parse_error();
-              YYABORT;
+              MYSQL_YYABORT;
             }
             $$= new (thd->mem_root) Item_func_get_user_var(thd, &$2);
             if (unlikely($$ == NULL))
@@ -11001,7 +11001,7 @@ variable_aux:
             if (!$1.length)
             {
               thd->parse_error();
-              YYABORT;
+              MYSQL_YYABORT;
             }
             $$= item= new (thd->mem_root) Item_func_set_user_var(thd, &$1, $3);
             if (unlikely($$ == NULL))
@@ -11015,7 +11015,7 @@ variable_aux:
             if (!$1.length)
             {
               thd->parse_error();
-              YYABORT;
+              MYSQL_YYABORT;
             }
             $$= new (thd->mem_root) Item_func_get_user_var(thd, &$1);
             if (unlikely($$ == NULL))
@@ -12653,7 +12653,7 @@ select_outvar:
             if (!$2.length)
             {
               thd->parse_error();
-              YYABORT;
+              MYSQL_YYABORT;
             }
 
             $$ = Lex->result ? new (thd->mem_root) my_var_user(&$2) : NULL;
@@ -14644,7 +14644,7 @@ field_or_var:
             if (!$2.length)
             {
               thd->parse_error();
-              YYABORT;
+              MYSQL_YYABORT;
             }
 
             $$= new (thd->mem_root) Item_user_var_as_out_param(thd, &$2);
@@ -16465,7 +16465,7 @@ option_value_no_option_type:
             if (!$2.length)
             {
               thd->parse_error();
-              YYABORT;
+              MYSQL_YYABORT;
             }
 
             if (sp_create_assignment_lex(thd, $1.str))