From: Harin Vadodaria
Date: December 13 2012 4:55am
Subject: bzr push into mysql-5.6 branch (harin.vadodaria:4767 to 4768) Bug#15965288
List-Archive: http://lists.mysql.com/commits/145500
X-Bug: 15965288
Message-Id: <20121213045517.3519.32309.4768@hvadodar-ThinkPad-T420>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 4768 Harin Vadodaria	2012-12-13 [merge]
      Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
                    DOPROCESSREPLY()
      
      Description: Merge from 5.5 to 5.6 .

    modified:
      extra/yassl/src/handshake.cpp
 4767 Sunny Bains	2012-12-13
      Bug#4789249 - LOCKING ASSERT IN FK UPDATE CASCADE CODE, LOCK->TRX->LOCK.WAIT_LOCK == LOCK
      Bug#14707091 SEGV IN LOCK_DEADLOCK_LOCK_PRINT(), NULL LOCK PTR
      
      Joining T1 does a deadlock check due to wait 
      
      T1 is selected as victim (but not rolled back), for any number of reasons.
      
      We try and resolve more deadlocks 
        - T2 is selected as a victim and rolled back 
        - This grants T1 the lock and is no longer the victim.
      
      Since T1 was originally selected as a victim, when we go to reset its lock
      state we trip over the invariant that it must still be in the wait state. 
      
      Fix is to check if T1 was granted a lock when T2 was rolled back during
      additional deadlock checking.
      
      Approved by Jimmy Yang rb#1619.

    modified:
      storage/innobase/lock/lock0lock.cc
=== modified file 'extra/yassl/src/handshake.cpp'
--- a/extra/yassl/src/handshake.cpp	2012-07-24 13:24:00 +0000
+++ b/extra/yassl/src/handshake.cpp	2012-12-13 04:51:09 +0000
@@ -762,8 +762,14 @@ int DoProcessReply(SSL& ssl)
 
         while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
             // each message in record, can be more than 1 if not encrypted
-            if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+            if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+                // sanity check for malicious/corrupted/illegal input
+                if (buffer.get_remaining() < hdr.length_) {
+                    ssl.SetError(bad_input);
+                    return 0;
+                }
                 decrypt_message(ssl, buffer, hdr.length_);
+            }
                 
             mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
             if (!msg.get()) {

No bundle (reason: useless for push emails).