From b000e169562697aa072600695d4f0c0412f94f4f Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Tue, 17 Oct 2017 10:57:51 +0200
Subject: Bug#26361149  MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST, COL),
 NAME_CONST('NAME', NULL))

based on:

commit f7316aa0c9a
Author: Ajo Robert <ajo.robert@oracle.com>
Date:   Thu Aug 24 17:03:21 2017 +0530

    Bug#26361149  MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST,
                           COL), NAME_CONST('NAME', NULL))

    Backport of Bug#19143243 fix.

    NAME_CONST item can return NULL_ITEM type in case of incorrect arguments.
    NULL_ITEM has special processing in Item_func_in function.
    In Item_func_in::fix_length_and_dec an array of possible comparators is
    created. Since NAME_CONST function has NULL_ITEM type, corresponding
    array element is empty. Then NAME_CONST is wrapped to ITEM_CACHE.
    ITEM_CACHE can not return proper type(NULL_ITEM) in Item_func_in::val_int(),
    so the NULL_ITEM is attempted compared with an empty comparator.
    The fix is to disable the caching of Item_name_const item.
---
 mysql-test/r/func_in.result | 6 ++++++
 mysql-test/t/func_in.test   | 8 ++++++++
 sql/item.cc                 | 1 +
 3 files changed, 15 insertions(+)

diff --git a/mysql-test/r/func_in.result b/mysql-test/r/func_in.result
index fc56660ac62..03ddbf5402b 100644
--- a/mysql-test/r/func_in.result
+++ b/mysql-test/r/func_in.result
@@ -812,3 +812,9 @@ EXECUTE s;
 1
 DROP TABLE t1;
 # End of 5.3 tests
+create table t1 (a int);
+insert t1 values (1),(2),(3);
+select * from t1 where 1 in (a, name_const('a', null));
+a
+1
+drop table t1;
diff --git a/mysql-test/t/func_in.test b/mysql-test/t/func_in.test
index 1e695142d90..439f9868ec8 100644
--- a/mysql-test/t/func_in.test
+++ b/mysql-test/t/func_in.test
@@ -606,3 +606,11 @@ EXECUTE s;
 DROP TABLE t1;
 
 --echo # End of 5.3 tests
+
+#
+# Bug#26361149 MYSQL SERVER CRASHES AT: COL IN(IFNULL(CONST, COL), NAME_CONST('NAME', NULL))
+#
+create table t1 (a int);
+insert t1 values (1),(2),(3);
+select * from t1 where 1 in (a, name_const('a', null));
+drop table t1;
diff --git a/sql/item.cc b/sql/item.cc
index 3c633ddc9ca..fa2e52bfd4a 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -6726,6 +6726,7 @@ bool Item::cache_const_expr_analyzer(uchar **arg)
     */
     if (const_item() &&
         !(basic_const_item() || item->basic_const_item() ||
+          item->type() == Item::NULL_ITEM || /* Item_name_const hack */
           item->type() == Item::FIELD_ITEM ||
           item->type() == SUBSELECT_ITEM ||
            /*
-- 
cgit v1.2.1