MDEV-18339: ASAN heap-buffer-overflow in Item_exists_subselect::is_top_level_item

Right argument of Item_in_optimizer can not be cast to Item_in_subselect in invisible mode.

MDEV-18339: ASAN heap-buffer-overflow in Item_exists_subselect::is_top_level_item
Right argument of Item_in_optimizer can not be cast to Item_in_subselect in invisible mode.
a36ac52f · Oleksandr Byelkin · 2b711d23 · a36ac52f
Commit a36ac52f authored Mar 06, 2019 by Oleksandr Byelkin
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

sql/item_cmpfunc.cc sql/item_cmpfunc.cc +4 -4

No files found.
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -1182,6 +1182,8 @@ longlong Item_func_truth::val_int()
 bool Item_in_optimizer::is_top_level_item()
 {
+  if (invisible_mode())
+    return FALSE;
  return ((Item_in_subselect *)args[1])->is_top_level_item();
 }
@@ -1237,8 +1239,7 @@ void Item_in_optimizer::print(String *str, enum_query_type query_type)
 void Item_in_optimizer::restore_first_argument()
 {
-  if (args[1]->type() == Item::SUBSELECT_ITEM &&
+  if (!invisible_mode())
-      ((Item_subselect *)args[1])->is_in_predicate())
  {
    args[0]= ((Item_in_subselect *)args[1])->left_expr;
  }
@@ -1255,8 +1256,7 @@ bool Item_in_optimizer::fix_left(THD *thd)
    it is args[0].
  */
  Item **ref0= args;
-  if (args[1]->type() == Item::SUBSELECT_ITEM &&
+  if (!invisible_mode())
-      ((Item_subselect *)args[1])->is_in_predicate())
  {
    /*
       left_expr->fix_fields() may cause left_expr to be substituted for