• Alexander Barkov's avatar
    MDEV-10020 InnoDB NOT IN Query Crash When One Item Is NULL · a80dbe06
    Alexander Barkov authored
    The problem was that the loop in get_func_mm_tree()
    accessed improperly initialized instances of String,
    which resided in the bzero'ed part of the in_vector::base array.
    
    Strings in in_vector::base are originally initialized
    in Item_func_in::fix_length_and_dec(),
    in in_vector::in_vector() using sql_calloc,
    rather than using a String constructor, so their str_charset
    members are originally equal to NULL.
    
    Strings in in_vector::base are later initialized
    to good values in Item_func_in::fix_length_and_dec(),
    using array->set(), in this code:
    
          uint j=0;
          for (uint i=1 ; i < arg_count ; i++)
          {
            array->set(j,args[i]);
            if (!args[i]->null_value)                      // Skip NULL values
              j++;
            else
              have_null= 1;
          }
          if ((array->used_count= j))
            array->sort();
    
    NULLs are not taken into account, so at the end
    array->used_count can be smaller than array->count.
    
    This patch fixes the loop in opt_range.cc, in get_func_mm_tree(),
    to access only properly initialized elements in in_vector::base,
    preventing access to its bzero'ed non-initialized tail.
    a80dbe06
opt_range.cc 492 KB