We're updating the issue view to help you get more done. 

Server crashes on NAME_CONST containing AND/OR expressions

Description

1 SELECT NAME_CONST('a', -(1 OR 2)) OR 1;
1 SELECT NAME_CONST('a', -(1 AND 2)) AND 1;

See the following revision in mysql/5.6 tree:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ------------------------------------------------------------ revno: 2876.473.1 revision-id: magne.mahre@oracle.com-20110915075714-zzyzvrmfnna2ro42 parent: kristofer.pettersson@oracle.com-20110906074433-13s7zt1k7rj8gff5 committer: Magne Mahre <magne.mahre@oracle.com> branch nick: mysql-trunk-security timestamp: Thu 2011-09-15 09:57:14 +0200 message: Bug#12735545 - PARSER STACK OVERFLOW WITH NAME_CONST CONTAINING OR EXPRESSION Using NAME_CONST with a non-constant negated expression as value could cause a server crash. The issue was solved by added a more strict test on the value argument when constructing the Item_name_const object, verifying that the argument is indeed a literal constant. ------------------------------------------------------------

Stack trace in 10.0:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 #7 0x0000000000f0787f in __cxa_pure_virtual () at 10.0/mysys/my_new.cc:74 #8 0x00000000008948e5 in Item_cond::fix_fields (this=0x7f13244e06b8, thd=0x7f132733d070, ref=0x7f13244e07f0) at 10.0/sql/item_cmpfunc.cc:4337 #9 0x000000000061780a in setup_fields (thd=0x7f132733d070, ref_pointer_array=0x7f13244e0e48, fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x7f13244e0c48, allow_sum_func=true) at 10.0/sql/sql_base.cc:7723 #10 0x00000000006a036e in JOIN::prepare (this=0x7f13244e0910, rref_pointer_array=0x7f13273416a0, tables_init=0x0, wild_num=0, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f1327341428, unit_arg=0x7f1327340d48) at 10.0/sql/sql_select.cc:775 #11 0x00000000006a8f81 in mysql_select (thd=0x7f132733d070, rref_pointer_array=0x7f13273416a0, tables=0x0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f13244e08f0, unit=0x7f1327340d48, select_lex=0x7f1327341428) at 10.0/sql/sql_select.cc:3270 #12 0x000000000069f78b in handle_select (thd=0x7f132733d070, lex=0x7f1327340c88, result=0x7f13244e08f0, setup_tables_done_option=0) at 10.0/sql/sql_select.cc:372 #13 0x0000000000674811 in execute_sqlcom_select (thd=0x7f132733d070, all_tables=0x0) at 10.0/sql/sql_parse.cc:5301 #14 0x000000000066cbbc in mysql_execute_command (thd=0x7f132733d070) at 10.0/sql/sql_parse.cc:2587 #15 0x0000000000676f9b in mysql_parse (thd=0x7f132733d070, rawbuf=0x7f13244e0088 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", length=40, parser_state=0x7f132ec06630) at 10.0/sql/sql_parse.cc:6447 #16 0x0000000000669d69 in dispatch_command (command=COM_QUERY, thd=0x7f132733d070, packet=0x7f1327333071 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", packet_length=40) at 10.0/sql/sql_parse.cc:1308 #17 0x000000000066910b in do_command (thd=0x7f132733d070) at 10.0/sql/sql_parse.cc:1005 #18 0x0000000000783371 in do_handle_one_connection (thd_arg=0x7f132733d070) at 10.0/sql/sql_connect.cc:1379 #19 0x00000000007830c4 in handle_one_connection (arg=0x7f132733d070) at 10.0/sql/sql_connect.cc:1293 #20 0x0000000000aab665 in pfs_spawn_thread (arg=0x7f132665c090) at 10.0/storage/perfschema/pfs.cc:1853 #21 0x00007f132e954b50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #22 0x00007f132d4a3a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Stack trace in 5.1:

1 2 3 4 5 6 7 8 9 10 #4 0x0000000000000000 in ?? () #5 0x00000000006f20d5 in is_cond_and (item=0x2da7990) at item_cmpfunc.h:1705 #6 0x00000000006dba31 in MYSQLparse (yythd=0x2d19608) at sql_yacc.yy:6975 #7 0x00000000006bd691 in parse_sql (thd=0x2d19608, parser_state=0x7f4afc050710, creation_ctx=0x0) at sql_parse.cc:8165 #8 0x00000000006b942e in mysql_parse (thd=0x2d19608, rawbuf=0x2da74b0 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", length=40, found_semicolon=0x7f4afc050ca0) at sql_parse.cc:6182 #9 0x00000000006ab9bd in dispatch_command (command=COM_QUERY, thd=0x2d19608, packet=0x2d869b9 "SELECT NAME_CONST('a', -(1 AND 2)) AND 1", packet_length=40) at sql_parse.cc:1294 #10 0x00000000006aa951 in do_command (thd=0x2d19608) at sql_parse.cc:906 #11 0x00000000006a78e6 in handle_one_connection (arg=0x2d19608) at sql_connect.cc:1238 #12 0x00007f4b050adb50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #13 0x00007f4b04df7a7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112

Environment

None

Status

Assignee

Sergei Golubchik

Reporter

Elena Stepanova

Fix versions

Affects versions

5.1.67
5.2.14
5.3.12
5.5.35
10.0.8

Priority

Major