From 20089f5a39fa8f6f08113f12ed87c34e844c4fc6 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.org>
Date: Fri, 8 Dec 2017 14:40:27 +0400
Subject: [PATCH] MDEV-14596 Crash in INTERVAL(ROW(..),ROW(..))

---
 mysql-test/r/func_set.result |  9 +++++++++
 mysql-test/t/func_set.test   | 11 +++++++++++
 sql/item_cmpfunc.cc          | 13 +++++++++++++
 sql/item_cmpfunc.h           |  1 +
 4 files changed, 34 insertions(+)

diff --git a/mysql-test/r/func_set.result b/mysql-test/r/func_set.result
index 9c4976d46db16..ca1ccd71c9087 100644
--- a/mysql-test/r/func_set.result
+++ b/mysql-test/r/func_set.result
@@ -220,3 +220,12 @@ NULL
 1,2,3,4,5,6,7
 
 DROP TABLE t1;
+#
+# MDEV-14596 Crash in INTERVAL(ROW(..),ROW(..))
+#
+SELECT INTERVAL(ROW(1,1),ROW(1,2));
+ERROR 21000: Operand should contain 1 column(s)
+SELECT INTERVAL(1,ROW(1,2));
+ERROR 21000: Operand should contain 1 column(s)
+SELECT INTERVAL(ROW(1,2),1);
+ERROR 21000: Operand should contain 1 column(s)
diff --git a/mysql-test/t/func_set.test b/mysql-test/t/func_set.test
index ba984113fd7c2..887b1948498c2 100644
--- a/mysql-test/t/func_set.test
+++ b/mysql-test/t/func_set.test
@@ -136,3 +136,14 @@ SELECT * FROM t1 WHERE FIND_IN_SET(NULL, NULL) IS UNKNOWN;
 
 --echo
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-14596 Crash in INTERVAL(ROW(..),ROW(..))
+--echo #
+
+--error ER_OPERAND_COLUMNS
+SELECT INTERVAL(ROW(1,1),ROW(1,2));
+--error ER_OPERAND_COLUMNS
+SELECT INTERVAL(1,ROW(1,2));
+--error ER_OPERAND_COLUMNS
+SELECT INTERVAL(ROW(1,2),1);
diff --git a/sql/item_cmpfunc.cc b/sql/item_cmpfunc.cc
index ebe088e509220..62e76922c0ee5 100644
--- a/sql/item_cmpfunc.cc
+++ b/sql/item_cmpfunc.cc
@@ -2001,6 +2001,19 @@ bool Item_func_opt_neg::eq(const Item *item, bool binary_cmp) const
 }
 
 
+bool Item_func_interval::fix_fields(THD *thd, Item **ref)
+{
+  if (Item_int_func::fix_fields(thd, ref))
+    return true;
+  for (uint i= 0 ; i < row->cols(); i++)
+  {
+    if (row->element_index(i)->check_cols(1))
+      return true;
+  }
+  return false;
+}
+
+
 void Item_func_interval::fix_length_and_dec()
 {
   uint rows= row->cols();
diff --git a/sql/item_cmpfunc.h b/sql/item_cmpfunc.h
index a8befa47b956d..7b7ca9223fdb1 100644
--- a/sql/item_cmpfunc.h
+++ b/sql/item_cmpfunc.h
@@ -728,6 +728,7 @@ class Item_func_interval :public Item_int_func
   {
     allowed_arg_cols= 0;    // Fetch this value from first argument
   }
+  bool fix_fields(THD *, Item **);
   longlong val_int();
   void fix_length_and_dec();
   const char *func_name() const { return "interval"; }