From 71420b96e1806ab1e50106b26679cdd4e4b7dcd7 Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Wed, 29 Apr 2026 15:50:19 +1000
Subject: [PATCH] MDEV-36344: UBSAN DsMrr_impl::dsmrr_init on null ptr

Under SQL_SELECT::test_quick_select there isn't
a mrr buffer. The TRP_RANGE.mrr_buf_size is explictly
sets its size to 0 in get_best_index_intersect.

Rather than hit undefined behaviour in what
eventually results in full_buf being nullptr,
jump the case and go directly to use_default_impl.
---
 sql/multi_range_read.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sql/multi_range_read.cc b/sql/multi_range_read.cc
index 03d952c0f9e00..d7e5d1e4f7c28 100644
--- a/sql/multi_range_read.cc
+++ b/sql/multi_range_read.cc
@@ -1193,7 +1193,7 @@ int DsMrr_impl::dsmrr_init(handler *h_arg, RANGE_SEQ_IF *seq_funcs,
       buf_manager.reset_buffer_sizes= reset_buffer_sizes;
       buf_manager.redistribute_buffer_space= redistribute_buffer_space;
     }
-    else
+    else if (full_buf)
     {
       /* index strategy doesn't need buffer, give all space to rowids*/
       rowid_buffer.set_buffer_space(full_buf, full_buf_end);
@@ -1201,6 +1201,8 @@ int DsMrr_impl::dsmrr_init(handler *h_arg, RANGE_SEQ_IF *seq_funcs,
                                        (int)is_mrr_assoc * sizeof(range_id_t)))
         goto use_default_impl;
     }
+    else
+        goto use_default_impl;
 
     // setup_two_handlers() will call dsmrr_close() will clears the filter.
     // Save its value and restore afterwards.