From: Tor&nbsp;Didriksen
Date: February 7 2011 10:19am
Subject: bzr push into mysql-5.5 branch (tor.didriksen:3306 to 3307) Bug#59632
List-Archive: http://lists.mysql.com/commits/130540
X-Bug: 59632
Message-Id: <20110207101914.A4197376C@atum07.norway.sun.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 3307 Tor Didriksen	2011-02-07
      Bug #59632 Assertion failed: arg_length > length
      
      The problem was overflow in max_length when we tried to des_decrypt()
      something which is not the output of des_encrypt()
     @ mysql-test/r/ssl_and_innodb.result
        New test case.
     @ mysql-test/t/ssl_and_innodb.test
        New test case.
     @ sql/item_strfunc.h
        Do not subtract the encrypt overhead (9U) if args[0] has length < 9
        (In unsigned arithmetic, (1-9) becomes a very large number)

    added:
      mysql-test/r/ssl_and_innodb.result
      mysql-test/t/ssl_and_innodb.test
    modified:
      sql/item_strfunc.h
 3306 Ole John Aske	2011-02-07 [merge]
      Merge of fix for bug#59308 from mysql-5.1 -> mysql-5.5

    modified:
      mysql-test/r/order_by.result
      mysql-test/t/order_by.test
      sql/sql_select.cc
=== added file 'mysql-test/r/ssl_and_innodb.result'
--- a/mysql-test/r/ssl_and_innodb.result	1970-01-01 00:00:00 +0000
+++ b/mysql-test/r/ssl_and_innodb.result	2011-02-07 10:17:46 +0000
@@ -0,0 +1,8 @@
+CREATE TABLE t1(a int) engine=innodb;
+INSERT INTO t1 VALUES (1);
+SELECT DISTINCT
+convert((SELECT des_decrypt(2,1) AS a FROM t1 WHERE @a:=1), signed) as d
+FROM t1 ;
+d
+2
+DROP TABLE t1;

=== added file 'mysql-test/t/ssl_and_innodb.test'
--- a/mysql-test/t/ssl_and_innodb.test	1970-01-01 00:00:00 +0000
+++ b/mysql-test/t/ssl_and_innodb.test	2011-02-07 10:17:46 +0000
@@ -0,0 +1,11 @@
+-- source include/have_innodb.inc
+-- source include/have_ssl_crypto_functs.inc
+
+CREATE TABLE t1(a int) engine=innodb;
+INSERT INTO t1 VALUES (1);
+
+SELECT DISTINCT
+convert((SELECT des_decrypt(2,1) AS a FROM t1 WHERE @a:=1), signed) as d
+FROM t1 ;
+
+DROP TABLE t1;

=== modified file 'sql/item_strfunc.h'
--- a/sql/item_strfunc.h	2011-01-17 12:26:13 +0000
+++ b/sql/item_strfunc.h	2011-02-07 10:17:46 +0000
@@ -1,7 +1,7 @@
 #ifndef ITEM_STRFUNC_INCLUDED
 #define ITEM_STRFUNC_INCLUDED
 
-/* Copyright (C) 2000-2003 MySQL AB
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -361,7 +361,9 @@ public:
   {
     maybe_null=1;
     /* 9 = MAX ((8- (arg_len % 8)) + 1) */
-    max_length = args[0]->max_length - 9;
+    max_length= args[0]->max_length;
+    if (max_length >= 9U)
+      max_length-= 9U;
   }
   const char *func_name() const { return "des_decrypt"; }
 };

No bundle (reason: useless for push emails).