From 59211ab7b9fb3c106e805bebd393731f42f95abe Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Tue, 15 Dec 2020 00:16:21 +0100
Subject: MDEV-24346 valgrind error in main.precedence

Part II.

It's still possible to bypass Item_func_like::escape
initialization in Item_func_like::fix_fields().

This requires ESCAPE argument being a cacheable subquery
that uses tables and is inside a derived table which
is used in multi-update.

Instead of implementing a complex or expensive fix for
this particular ridiculously artificial case, let's simply disallow it.
---
 sql/item_cmpfunc.cc | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'sql/item_cmpfunc.cc')

diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index e0dad886a06..bfd7f3dbd1b 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -5348,7 +5348,18 @@ bool fix_escape_item(THD *thd, Item *escape_item, String *tmp_str,
                      bool escape_used_in_parsing, CHARSET_INFO *cmp_cs,
                      int *escape)
 {
-  if (!escape_item->const_during_execution())
+  /*
+    ESCAPE clause accepts only constant arguments and Item_param.
+
+    Subqueries during context_analysis_only might decide they're
+    const_during_execution, but not quite const yet, not evaluate-able.
+    This is fine, as most of context_analysis_only modes will never
+    reach val_int(), so we won't need the value.
+    CONTEXT_ANALYSIS_ONLY_DERIVED being a notable exception here.
+  */
+  if (!escape_item->const_during_execution() ||
+     (!escape_item->const_item() &&
+      !(thd->lex->context_analysis_only & ~CONTEXT_ANALYSIS_ONLY_DERIVED)))
   {
     my_error(ER_WRONG_ARGUMENTS,MYF(0),"ESCAPE");
     return TRUE;
-- 
cgit v1.2.1