From: Harin Vadodaria
Date: December 13 2012 4:54am
Subject: bzr push into mysql-trunk branch (harin.vadodaria:5230 to 5231) Bug#15965288
List-Archive: http://lists.mysql.com/commits/145501
X-Bug: 15965288
Message-Id: <20121213045447.3508.4625.5231@hvadodar-ThinkPad-T420>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 5231 Harin Vadodaria	2012-12-13 [merge]
      Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
                    DOPROCESSREPLY()
      
      Description: Merge from 5.6 to trunk.

    modified:
      extra/yassl/src/handshake.cpp
 5230 Sunny Bains	2012-12-13 [merge]
      Merge from mysql-5.6 to mysql-trunk.

    modified:
      storage/innobase/lock/lock0lock.cc
=== modified file 'extra/yassl/src/handshake.cpp'
--- a/extra/yassl/src/handshake.cpp	2012-11-06 14:16:49 +0000
+++ b/extra/yassl/src/handshake.cpp	2012-12-13 04:53:33 +0000
@@ -762,8 +762,14 @@ int DoProcessReply(SSL& ssl)
 
         while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
             // each message in record, can be more than 1 if not encrypted
-            if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+            if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+                // sanity check for malicious/corrupted/illegal input
+                if (buffer.get_remaining() < hdr.length_) {
+                    ssl.SetError(bad_input);
+                    return 0;
+                }
                 decrypt_message(ssl, buffer, hdr.length_);
+            }
                 
             mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
             if (!msg.get()) {

No bundle (reason: useless for push emails).