Commit 984e051f authored by Norvald H. Ryeng's avatar Norvald H. Ryeng

Bug#13031606 VALUES() IN A SELECT STATEMENT CRASHES SERVER

Problem: Grouping results by VALUES(alias for string literal) causes
the server to crash.

Item_insert_values is not constructed to handle other types of
arguments than field and reference to field. In this case, the
argument is an Item_string, and this causes
Item_insert_values::fix_fields() to crash.

Fix: Issue an error message when the argument to Item_insert_values is
not a field or a reference to a field.

This is slightly in breach with documentation, which states that
VALUES should return NULL, but the error message is only issued in
cases where the server otherwise would crash, so there is no change in
behavior for queries that already work. Future versions will restrict
syntax so that using VALUES in this way is illegal.


mysql-test/r/errors.result:
  Add test case for bug #13031606.
mysql-test/t/errors.test:
  Add test case for bug #13031606.
sql/item.cc:
  Issue error message if argument is not field or reference to field.
parent 66b5f00a
......@@ -55,3 +55,17 @@ Error 1054 Unknown column 'b' in 'field list'
INSERT INTO t1 SELECT b FROM t1;
ERROR 42S22: Unknown column 'b' in 'field list'
DROP TABLE t1;
CREATE TABLE t1 (a INT);
CREATE TABLE t2(a INT PRIMARY KEY, b INT);
SELECT '' AS b FROM t1 GROUP BY VALUES(b);
ERROR 42S22: Unknown column '' in 'VALUES() function'
REPLACE t2(b) SELECT '' AS b FROM t1 GROUP BY VALUES(b);
ERROR 42S22: Unknown column '' in 'VALUES() function'
UPDATE t2 SET a=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
ERROR 42S22: Unknown column '' in 'VALUES() function'
INSERT INTO t2 VALUES (1,0) ON DUPLICATE KEY UPDATE
b=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
ERROR 42S22: Unknown column '' in 'VALUES() function'
INSERT INTO t2(a,b) VALUES (1,0) ON DUPLICATE KEY UPDATE
b=(SELECT VALUES(a)+2 FROM t1);
DROP TABLE t1, t2;
......@@ -67,3 +67,21 @@ SHOW ERRORS;
INSERT INTO t1 SELECT b FROM t1;
DROP TABLE t1;
# End of 5.0 tests
#
# Bug #13031606 VALUES() IN A SELECT STATEMENT CRASHES SERVER
#
CREATE TABLE t1 (a INT);
CREATE TABLE t2(a INT PRIMARY KEY, b INT);
--error ER_BAD_FIELD_ERROR
SELECT '' AS b FROM t1 GROUP BY VALUES(b);
--error ER_BAD_FIELD_ERROR
REPLACE t2(b) SELECT '' AS b FROM t1 GROUP BY VALUES(b);
--error ER_BAD_FIELD_ERROR
UPDATE t2 SET a=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
--error ER_BAD_FIELD_ERROR
INSERT INTO t2 VALUES (1,0) ON DUPLICATE KEY UPDATE
b=(SELECT '' AS b FROM t1 GROUP BY VALUES(b));
INSERT INTO t2(a,b) VALUES (1,0) ON DUPLICATE KEY UPDATE
b=(SELECT VALUES(a)+2 FROM t1);
DROP TABLE t1, t2;
......@@ -6657,20 +6657,12 @@ bool Item_insert_value::fix_fields(THD *thd, Item **items)
}
if (arg->type() == REF_ITEM)
arg= static_cast<Item_ref *>(arg)->ref[0];
if (arg->type() != FIELD_ITEM)
{
Item_ref *ref= (Item_ref *)arg;
if (ref->ref[0]->type() != FIELD_ITEM)
{
my_error(ER_BAD_FIELD_ERROR, MYF(0), "", "VALUES() function");
return TRUE;
}
arg= ref->ref[0];
my_error(ER_BAD_FIELD_ERROR, MYF(0), "", "VALUES() function");
return TRUE;
}
/*
According to our SQL grammar, VALUES() function can reference
only to a column.
*/
DBUG_ASSERT(arg->type() == FIELD_ITEM);
Item_field *field_arg= (Item_field *)arg;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment