From 70dbd63e029990730befb192e6a9b521eb135cf2 Mon Sep 17 00:00:00 2001 From: Alexander Barkov Date: Mon, 18 Nov 2024 12:38:43 +0400 Subject: [PATCH] MDEV-24337 Server crash in DTCollation::set_repertoire_from_charset The loop in Item_func_in::get_func_mm_tree incorrectly used array->count in the loop. Fixing it to array->used_count. --- mysql-test/main/gis.result | 7 +++++++ mysql-test/main/gis.test | 8 ++++++++ sql/opt_range.cc | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/mysql-test/main/gis.result b/mysql-test/main/gis.result index a39729c26ae..c4918809e4d 100644 --- a/mysql-test/main/gis.result +++ b/mysql-test/main/gis.result @@ -5459,4 +5459,11 @@ drop table t1, t2; SELECT ST_ASTEXT(BOUNDARY(INET6_ATON('255.255.255.255'))) AS c1; c1 NULL +# +# Server crash in DTCollation::set_repertoire_from_charset +# +CREATE TABLE t (f POINT, KEY(f)); +DELETE FROM t WHERE f NOT IN (NULL,'x'); +ERROR 22003: Cannot get geometry object from data you send to the GEOMETRY field +DROP TABLE t; # End of 10.5 tests diff --git a/mysql-test/main/gis.test b/mysql-test/main/gis.test index eebb4620630..8e392e6b2f4 100644 --- a/mysql-test/main/gis.test +++ b/mysql-test/main/gis.test @@ -3463,5 +3463,13 @@ drop table t1, t2; SELECT ST_ASTEXT(BOUNDARY(INET6_ATON('255.255.255.255'))) AS c1; +--echo # +--echo # Server crash in DTCollation::set_repertoire_from_charset +--echo # + +CREATE TABLE t (f POINT, KEY(f)); +--error ER_CANT_CREATE_GEOMETRY_OBJECT +DELETE FROM t WHERE f NOT IN (NULL,'x'); +DROP TABLE t; --echo # End of 10.5 tests diff --git a/sql/opt_range.cc b/sql/opt_range.cc index 8d36fdb4a18..a96014899fd 100644 --- a/sql/opt_range.cc +++ b/sql/opt_range.cc @@ -7982,7 +7982,7 @@ SEL_TREE *Item_func_in::get_func_mm_tree(RANGE_OPT_PARAM *param, if (!tree) break; i++; - } while (i < array->count && tree->type == SEL_TREE::IMPOSSIBLE); + } while (i < array->used_count && tree->type == SEL_TREE::IMPOSSIBLE); if (!tree || tree->type == SEL_TREE::IMPOSSIBLE) {