| Bug #68044 | A minor bug in check_simple_equality() | ||
|---|---|---|---|
| Submitted: | 6 Jan 2013 22:02 | Modified: | 7 Jan 2013 1:29 |
| Reporter: | Nickolai Zeldovich | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Optimizer | Severity: | S3 (Non-critical) |
| Version: | 5.5.30 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[6 Jan 2013 22:03]
Nickolai Zeldovich
(The patch may still be interesting because if the system were ever to run out of memory, the aforementioned code would proceed to dereference a null pointer and crash the server.)
[7 Jan 2013 1:29]
MySQL Verification Team
Verified for 5.5. BTW, this seems fixed in 5.6 and 5.7 code base.
Description: The code in check_simple_equality() in sql/sql_select.cc seems to have an incorrect check for running out of memory when allocating an Item_func_eq. Below is a fairly self-explanatory patch. How to repeat: This code bug does not appear to cause any actual problems because the logic for handling errors at a higher level does the right thing anyway, if perhaps a little less efficiently. Suggested fix: --- mysql-5.5.28/sql/sql_select.cc 2012-08-29 04:50:46.000000000 -0400 +++ mysql-5.5.28/sql/sql_select.cc 2012-12-20 01:50:59.313632784 -0500 @@ -7852,7 +7852,7 @@ if (!item) { Item_func_eq *eq_item; - if ((eq_item= new Item_func_eq(left_item, right_item))) + if (!(eq_item= new Item_func_eq(left_item, right_item))) return FALSE; eq_item->set_cmp_func(); eq_item->quick_fix_field();