diff --git a/mysql-test/r/ctype_gbk.result b/mysql-test/r/ctype_gbk.result index 98a6839be4c0cd33e990b147a1cfb2e14187cb22..c144ed6881dadde45490f53e07cbb8da3a8a93f3 100644 --- a/mysql-test/r/ctype_gbk.result +++ b/mysql-test/r/ctype_gbk.result @@ -247,4 +247,11 @@ t1 CREATE TABLE `t1` ( `c2` text NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=gbk drop table t1; +CREATE TABLE t1(a MEDIUMTEXT CHARACTER SET gbk, +b MEDIUMTEXT CHARACTER SET big5); +INSERT INTO t1 VALUES +(REPEAT(0x1125,200000), REPEAT(0x1125,200000)), ('', ''), ('', ''); +SELECT a FROM t1 GROUP BY 1 LIMIT 1 INTO @nullll; +SELECT b FROM t1 GROUP BY 1 LIMIT 1 INTO @nullll; +DROP TABLES t1; End of 5.0 tests diff --git a/mysql-test/r/subselect3.result b/mysql-test/r/subselect3.result index 89cc3626aa9885ffc7d67c7d6e7bfe837bfedda6..5f8aa2f1767b7de414cfca3e82b353c6c130d517 100644 --- a/mysql-test/r/subselect3.result +++ b/mysql-test/r/subselect3.result @@ -770,4 +770,13 @@ SELECT ROW(1, 2) IN (SELECT t1.a, 2 FROM t2) FROM t1 GROUP BY t1.a; ROW(1, 2) IN (SELECT t1.a, 2 FROM t2) 1 DROP TABLE t1, t2; +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (1),(2),(3); +CREATE TABLE t2 SELECT * FROM t1; +SELECT 1 FROM t1 WHERE t1.a NOT IN (SELECT 1 FROM t1, t2 WHERE 0); +1 +1 +1 +1 +DROP TABLE t1, t2; End of 5.0 tests diff --git a/mysql-test/t/ctype_gbk.test b/mysql-test/t/ctype_gbk.test index 3ea696338dc7b74a28c5e983bfa5a51f649344cc..91fe50d89b929ab597e6400618ac30ff74f7a820 100644 --- a/mysql-test/t/ctype_gbk.test +++ b/mysql-test/t/ctype_gbk.test @@ -53,4 +53,18 @@ alter table t1 change c1 c1 mediumtext character set gbk not null; show create table t1; drop table t1; +# +# Bug#35993: severe memory corruption and crash with multibyte conversion +# + +CREATE TABLE t1(a MEDIUMTEXT CHARACTER SET gbk, + b MEDIUMTEXT CHARACTER SET big5); +INSERT INTO t1 VALUES + (REPEAT(0x1125,200000), REPEAT(0x1125,200000)), ('', ''), ('', ''); + +SELECT a FROM t1 GROUP BY 1 LIMIT 1 INTO @nullll; +SELECT b FROM t1 GROUP BY 1 LIMIT 1 INTO @nullll; + +DROP TABLES t1; + --echo End of 5.0 tests diff --git a/mysql-test/t/subselect3.test b/mysql-test/t/subselect3.test index cfbde8c29cd3f111ae4bfba887c7f3a24281c048..d7bb1f7186a67e23ccfe534c555567fd4e261fe3 100644 --- a/mysql-test/t/subselect3.test +++ b/mysql-test/t/subselect3.test @@ -605,4 +605,17 @@ SELECT ROW(1, 2) IN (SELECT t1.a, 2 FROM t2) FROM t1 GROUP BY t1.a; DROP TABLE t1, t2; +# +# Bug #36005: crash in subselect with single row +# (subselect_single_select_engine::exec) +# + +CREATE TABLE t1 (a INT); +INSERT INTO t1 VALUES (1),(2),(3); +CREATE TABLE t2 SELECT * FROM t1; + +SELECT 1 FROM t1 WHERE t1.a NOT IN (SELECT 1 FROM t1, t2 WHERE 0); + +DROP TABLE t1, t2; + --echo End of 5.0 tests diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 164edacc932791a441bda76d259b9141dc498e4d..3353b7c8a8039a4d8635dc918460ed052cf70395 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -846,6 +846,7 @@ JOIN::optimize() "Impossible HAVING" : "Impossible WHERE")); zero_result_cause= having_value == Item::COND_FALSE ? "Impossible HAVING" : "Impossible WHERE"; + tables= 0; error= 0; DBUG_RETURN(0); } diff --git a/strings/ctype-big5.c b/strings/ctype-big5.c index ecfd3d648e09df5ce8941ea1ca191658d8a395fe..3da307b82fcfbbee5d5859dc657ad45063d7fcf4 100644 --- a/strings/ctype-big5.c +++ b/strings/ctype-big5.c @@ -307,15 +307,17 @@ static size_t my_strnxfrm_big5(CHARSET_INFO *cs __attribute__((unused)), { uint16 e; size_t dstlen= len; + uchar *dest_end= dest + dstlen; len = srclen; - while (len--) + while (len-- && dest < dest_end) { if ((len > 0) && isbig5code(*src, *(src+1))) { e = big5strokexfrm((uint16) big5code(*src, *(src+1))); *dest++ = big5head(e); - *dest++ = big5tail(e); + if (dest < dest_end) + *dest++ = big5tail(e); src +=2; len--; } else diff --git a/strings/ctype-gbk.c b/strings/ctype-gbk.c index c7a2558eb372b3dc058d0d585b07e4b7cab344c2..7b8bb85652bcdfc0673ea09b434dc2957fc2373f 100644 --- a/strings/ctype-gbk.c +++ b/strings/ctype-gbk.c @@ -2668,15 +2668,17 @@ static size_t my_strnxfrm_gbk(CHARSET_INFO *cs __attribute__((unused)), { uint16 e; size_t dstlen= len; + uchar *dest_end= dest + dstlen; len = srclen; - while (len--) + while (len-- && dest < dest_end) { if ((len > 0) && isgbkcode(*src, *(src+1))) { e = gbksortorder((uint16) gbkcode(*src, *(src+1))); *dest++ = gbkhead(e); - *dest++ = gbktail(e); + if (dest < dest_end) + *dest++ = gbktail(e); src+=2; len--; } else