From 52f038c5c3a065d2c68197535d844f6ed00a09cc Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Wed, 12 Feb 2014 21:17:28 +0100
Subject: MDEV-5655 Server crashes on NAME_CONST containing AND/OR expressions

fix the NAME_CONST check to only allow literals, negated literals, and literals with
the explicit collation.
---
 mysql-test/r/func_misc.result |  7 +++++++
 mysql-test/t/func_misc.test   | 10 ++++++++++
 sql/item.cc                   | 31 +++++++++++++++++++++----------
 3 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/mysql-test/r/func_misc.result b/mysql-test/r/func_misc.result
index 5910a45c839..56d27ff78be 100644
--- a/mysql-test/r/func_misc.result
+++ b/mysql-test/r/func_misc.result
@@ -265,3 +265,10 @@ SELECT '1' IN ('1', INET_NTOA(0));
 '1' IN ('1', INET_NTOA(0))
 1
 End of tests
+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+SELECT NAME_CONST('a', -(1 AND 2)) AND 1;
+ERROR HY000: Incorrect arguments to NAME_CONST
+SELECT NAME_CONST('a', -(1)) OR 1;
+NAME_CONST('a', -(1)) OR 1
+1
diff --git a/mysql-test/t/func_misc.test b/mysql-test/t/func_misc.test
index 2a72578aca7..c4cc7734186 100644
--- a/mysql-test/t/func_misc.test
+++ b/mysql-test/t/func_misc.test
@@ -300,3 +300,13 @@ SELECT '1' IN ('1', INET_NTOA(0));
 
 
 --echo End of tests
+
+#
+# MDEV-5655 Server crashes on NAME_CONST containing AND/OR expressions
+#
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
+--error ER_WRONG_ARGUMENTS
+SELECT NAME_CONST('a', -(1 AND 2)) AND 1;
+SELECT NAME_CONST('a', -(1)) OR 1;
+
diff --git a/sql/item.cc b/sql/item.cc
index 976449e6353..82b6c921ec7 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -1284,17 +1284,28 @@ bool Item_name_const::is_null()
 Item_name_const::Item_name_const(Item *name_arg, Item *val):
     value_item(val), name_item(name_arg)
 {
-  if (!(valid_args= name_item->basic_const_item() &&
-                    (value_item->basic_const_item() ||
-                     ((value_item->type() == FUNC_ITEM) &&
-                      ((((Item_func *) value_item)->functype() ==
-                         Item_func::COLLATE_FUNC) ||
-                      ((((Item_func *) value_item)->functype() ==
-                         Item_func::NEG_FUNC) &&
-                      (((Item_func *) value_item)->key_item()->type() !=
-                         FUNC_ITEM)))))))
-    my_error(ER_WRONG_ARGUMENTS, MYF(0), "NAME_CONST");
   Item::maybe_null= TRUE;
+  valid_args= true;
+  if (!name_item->basic_const_item())
+    goto err;
+
+  if (value_item->basic_const_item())
+    return; // ok
+
+  if (value_item->type() == FUNC_ITEM)
+  {
+    Item_func *value_func= (Item_func *) value_item;
+    if (value_func->functype() != Item_func::COLLATE_FUNC &&
+        value_func->functype() != Item_func::NEG_FUNC)
+      goto err;
+
+    if (value_func->key_item()->basic_const_item())
+      return; // ok
+  }
+
+err:
+  valid_args= false;
+  my_error(ER_WRONG_ARGUMENTS, MYF(0), "NAME_CONST");
 }
 
 
-- 
cgit v1.2.1