From dc6969734afbd6598035c81a3e0a7f139083ed65 Mon Sep 17 00:00:00 2001
From: Annamalai Gurusami <annamalai.gurusami@oracle.com>
Date: Fri, 22 Feb 2013 14:56:17 +0530
Subject: Bug #14211565 CRASH WHEN ATTEMPTING TO SET SYSTEM VARIABLE TO RESULT
 OF VALUES()

Problem:

When the VALUES() function is inappropriately used in the SET stmt the server
exits.

set port = values(v);

This happens because the values(v) will be parsed as an Item_insert_value by
the parser.  Both Item_field and Item_insert_value return the type as
FIELD_ITEM.  But for Item_insert_value the field_name member is NULL.  In
set_var constructor, when the type of the item is FIELD_ITEM we try to access
the non-existent field_name.

The class hierarchy is as follows:
Item -> Item_ident -> Item_field -> Item_insert_value

The Item_ident::field_name is NULL for Item_insert_value.

Solution:

In the parsing stage, in the set_var constructor if the item type is
FIELD_ITEM and if the field_name is non-existent, then it is probably
the Item_insert_value.  So leave it as it is for later evaluation.

rb://2004 approved by Roy and Norvald.
---
 sql/set_var.h | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'sql')

diff --git a/sql/set_var.h b/sql/set_var.h
index 97e3c74593b..7b1dbcddb96 100644
--- a/sql/set_var.h
+++ b/sql/set_var.h
@@ -1326,13 +1326,23 @@ public:
     if (value_arg && value_arg->type() == Item::FIELD_ITEM)
     {
       Item_field *item= (Item_field*) value_arg;
-      if (!(value=new Item_string(item->field_name, 
-                  (uint) strlen(item->field_name),
-				  item->collation.collation)))
-	value=value_arg;			/* Give error message later */
+      if (item->field_name)
+      {
+        if (!(value= new Item_string(item->field_name,
+                                     (uint) strlen(item->field_name),
+                                     item->collation.collation)))
+	  value= value_arg;			/* Give error message later */
+      }
+      else
+      {
+        /* Both Item_field and Item_insert_value will return the type as
+        Item::FIELD_ITEM. If the item->field_name is NULL, we assume the
+        object to be Item_insert_value. */
+        value= value_arg;
+      }
     }
     else
-      value=value_arg;
+      value= value_arg;
   }
   int check(THD *thd);
   int update(THD *thd);
-- 
cgit v1.2.1