From 0fa1a7cc6af2d1ca90363f73d6bff97c805caf22 Mon Sep 17 00:00:00 2001
From: Aleksey Midenkov <midenok@gmail.com>
Date: Mon, 13 Jan 2025 15:40:59 +0300
Subject: [PATCH] MDEV-28130 MariaDB SEGV issue at tree_search_next

In case of error last_pos points to null_element and there is no any
other children. tree_search_next() walks the children from last_pos
until the leaves (null_element) ignoring the case the topmost parent
in search state is the leaf itself.
---
 mysql-test/suite/heap/heap.result | 12 ++++++++++++
 mysql-test/suite/heap/heap.test   | 10 ++++++++++
 mysys/tree.c                      |  3 +++
 3 files changed, 25 insertions(+)

diff --git a/mysql-test/suite/heap/heap.result b/mysql-test/suite/heap/heap.result
index 11c50d97475..d42e898a0ae 100644
--- a/mysql-test/suite/heap/heap.result
+++ b/mysql-test/suite/heap/heap.result
@@ -884,3 +884,15 @@ CREATE TABLE t1 (a VARCHAR(128), b VARCHAR(32), KEY(a) USING BTREE, KEY(b) USING
 INSERT INTO t1 VALUES ('foo',NULL),('m','b'),(6,'j'),('bar','qux'),(NULL,NULL);
 DELETE FROM t1 WHERE a <=> 'm' OR b <=> NULL;
 DROP TABLE t1;
+#
+# MDEV-28130 MariaDB SEGV issue at tree_search_next
+#
+CREATE TABLE v(t1 INT, pk INT, KEY(t1), KEY pk using btree (pk), KEY v using btree(t1, pk)) engine=memory;
+HANDLER v OPEN;
+HANDLER v READ t1=(2) limit 3;
+t1	pk
+HANDLER v READ pk PREV;
+t1	pk
+HANDLER v READ pk PREV;
+t1	pk
+drop table v;
diff --git a/mysql-test/suite/heap/heap.test b/mysql-test/suite/heap/heap.test
index 02a2586f605..97784aefc0f 100644
--- a/mysql-test/suite/heap/heap.test
+++ b/mysql-test/suite/heap/heap.test
@@ -668,3 +668,13 @@ INSERT INTO t1 VALUES ('foo',NULL),('m','b'),(6,'j'),('bar','qux'),(NULL,NULL);
 DELETE FROM t1 WHERE a <=> 'm' OR b <=> NULL;
 # Cleanup
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-28130 MariaDB SEGV issue at tree_search_next
+--echo #
+CREATE TABLE v(t1 INT, pk INT, KEY(t1), KEY pk using btree (pk), KEY v using btree(t1, pk)) engine=memory;
+HANDLER v OPEN;
+HANDLER v READ t1=(2) limit 3;
+HANDLER v READ pk PREV;
+HANDLER v READ pk PREV;
+drop table v;
diff --git a/mysys/tree.c b/mysys/tree.c
index cd44f779e6f..db0442fa827 100644
--- a/mysys/tree.c
+++ b/mysys/tree.c
@@ -494,6 +494,9 @@ void *tree_search_next(TREE *tree, TREE_ELEMENT ***last_pos, int l_offs,
                        int r_offs)
 {
   TREE_ELEMENT *x= **last_pos;
+
+  if (x == &null_element)
+    return NULL;
   
   if (ELEMENT_CHILD(x, r_offs) != &null_element)
   {