Bug #1231 Crash in yyparse while parsing bad query
Submitted: 9 Sep 2003 3:19 Modified: 12 Sep 2003 9:29
Reporter: Jeremy Cole (Basic Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.1 (20030830) OS:
Assigned to: MySQL Verification Team CPU Architecture:Any

[9 Sep 2003 3:19] Jeremy Cole
Description:
I managed to generate a syntactically incorrect query from PHP.  I know that the query is wrong, and I've fixed it, but I managed to hit some bug, which causes a SIGSEGV.

The stack trace for this is:

0x80bbfcd handle_segfault + 621
0x82f28ba __pthread_sighandler + 122
0x80e6fe3 _Z7yyparsePv + 66099
0x80d3f2a _Z11mysql_parseP3THDPcj + 106
0x80cd412 _Z16dispatch_command19enum_server_commandP3THDPcj + 3586
0x80cc595 _Z10do_commandP3THD + 117
0x80cbcce handle_one_connection + 702
0x82ee1ed pthread_start_thread + 205
0x832be87 clone + 103

How to repeat:
Run the following query, in any database (since the crash is in the parser you don't need even to have any of the tables).

select mail_id,
        if(folder.f_description!='', folder.f_description, folder.f_name)
as folder_name,
        date,
        address_id,
        phrase,
        address,
        subject
from folder,
(select  mail.mail_id as mail_id,
        date_format(mail.h_date, '%b %e, %Y %h:%i') as date,
        mail.folder_id,
        sender.address_id as address_id,
        sender.phrase as phrase,
        sender.address as address,
        mail.h_subject as subject
from    mail
left join mxa as mxa_sender on mail.mail_id=mxa_sender.mail_id and
mxa_sender.type='from'
left join address as sender on mxa_sender.address_id=sender.address_id
        mxa as mxa_recipient,
  address as recipient,

where 1
    and mail.mail_id=mxa_recipient.mail_id
  and mxa_recipient.address_id=recipient.address_id
  and mxa_recipient.type='to'

    and  match(sender.phrase, sender.address, sender.comment) against
('jeremy' in boolean mode)
  and  match(recipient.phrase, recipient.address, recipient.comment)
against ('monty' in boolean mode)

order by mail.h_date desc
limit 0, 25
) as query where query.folder_id=folder.folder_id

Suggested fix:
Fix the parser. :)
[12 Sep 2003 9:29] MySQL Verification Team
patch pushed with test case