From 765452dbef57b71962950a9001ce21b64e1aba94 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.org>
Date: Tue, 14 Nov 2017 16:31:10 +0400
Subject: [PATCH] MDEV-14388 Server crashes in handle_select / val_uint in
 ORACLE mode

---
 .../compat/oracle/r/sp-cursor-rowtype.result  | 33 +++++++++++++++++
 .../compat/oracle/t/sp-cursor-rowtype.test    | 36 +++++++++++++++++++
 sql/sp_rcontext.cc                            |  6 ++++
 3 files changed, 75 insertions(+)

diff --git a/mysql-test/suite/compat/oracle/r/sp-cursor-rowtype.result b/mysql-test/suite/compat/oracle/r/sp-cursor-rowtype.result
index 3030a3dc658..a46daf30a8f 100644
--- a/mysql-test/suite/compat/oracle/r/sp-cursor-rowtype.result
+++ b/mysql-test/suite/compat/oracle/r/sp-cursor-rowtype.result
@@ -1359,3 +1359,36 @@ t2	CREATE TABLE "t2" (
   "b" varchar(3) DEFAULT NULL,
   "c" time DEFAULT NULL
 )
+#
+# MDEV-14388 Server crashes in handle_select / val_uint in ORACLE mode
+#
+CREATE TABLE t1 (id INT);
+INSERT INTO t1 VALUES (0),(1),(2),(3);
+CREATE FUNCTION f1() RETURN INT is
+BEGIN
+FOR v1 in (SELECT id FROM t1)
+LOOP
+NULL;
+END LOOP;
+RETURN 1;
+END;
+$$
+SELECT f1();
+f1()
+1
+DROP FUNCTION f1;
+DROP TABLE t1;
+CREATE TABLE t1 (id INT);
+INSERT INTO t1 VALUES (1),(2),(3),(4);
+CREATE FUNCTION f1() RETURN INT IS
+CURSOR cur IS SELECT id FROM t1;
+rec cur%ROWTYPE;
+BEGIN
+RETURN 1;
+END;
+$$
+SELECT f1();
+f1()
+1
+DROP FUNCTION f1;
+DROP TABLE t1;
diff --git a/mysql-test/suite/compat/oracle/t/sp-cursor-rowtype.test b/mysql-test/suite/compat/oracle/t/sp-cursor-rowtype.test
index 19a50eacca1..fd148d1f261 100644
--- a/mysql-test/suite/compat/oracle/t/sp-cursor-rowtype.test
+++ b/mysql-test/suite/compat/oracle/t/sp-cursor-rowtype.test
@@ -1444,3 +1444,39 @@ BEGIN
 END;
 $$
 DELIMITER ;$$
+
+--echo #
+--echo # MDEV-14388 Server crashes in handle_select / val_uint in ORACLE mode
+--echo #
+
+CREATE TABLE t1 (id INT);
+INSERT INTO t1 VALUES (0),(1),(2),(3);
+DELIMITER $$;
+CREATE FUNCTION f1() RETURN INT is
+BEGIN
+  FOR v1 in (SELECT id FROM t1)
+  LOOP
+    NULL;
+  END LOOP;
+  RETURN 1;
+END;
+$$
+DELIMITER ;$$
+SELECT f1();
+DROP FUNCTION f1;
+DROP TABLE t1;
+
+CREATE TABLE t1 (id INT);
+INSERT INTO t1 VALUES (1),(2),(3),(4);
+DELIMITER $$;
+CREATE FUNCTION f1() RETURN INT IS
+  CURSOR cur IS SELECT id FROM t1;
+  rec cur%ROWTYPE;
+BEGIN
+  RETURN 1;
+END;
+$$
+DELIMITER ;$$
+SELECT f1();
+DROP FUNCTION f1;
+DROP TABLE t1;
diff --git a/sql/sp_rcontext.cc b/sql/sp_rcontext.cc
index ee13eac6a1c..b5aacb1ac0f 100644
--- a/sql/sp_rcontext.cc
+++ b/sql/sp_rcontext.cc
@@ -802,7 +802,13 @@ int sp_cursor::open_view_structure_only(THD *thd)
   if (!(thd->lex->limit_rows_examined= new (thd->mem_root) Item_uint(thd, 0)))
     return -1;
   thd->no_errors= true; // Suppress ER_QUERY_EXCEEDED_ROWS_EXAMINED_LIMIT
+  DBUG_ASSERT(!thd->killed);
   res= open(thd);
+  /*
+    The query possibly exited on LIMIT ROWS EXAMINED and set thd->killed.
+    Reset it now.
+  */
+  thd->reset_killed();
   thd->no_errors= thd_no_errors_save;
   thd->lex->limit_rows_examined= limit_rows_examined;
   return res;