From: Date: September 15 2008 11:29pm
Subject: bzr commit into mysql-5.1-bugteam branch (kpettersson:2677) Bug#38469
List-Archive: http://lists.mysql.com/commits/54163
X-Bug: 38469
Message-Id: <20080915212928.689F0530095@Adventure>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

#At file:///home/thek/Development/cpp/mysqlbzr/mysql-5.0-bug38469/

 2677 Kristofer Pettersson	2008-09-15
      Bug#38469 invalid memory read and/or crash with utf8 text field, stored procedure, uservar
      
      A stored procedure involving substrings could crash the server on certain
      platforms because of invalid memory reads.
      
      This patch fixes this issue.
modified:
  sql/field.cc

per-file messages:
  sql/field.cc
    The source and destination address ranges of a character conversion must not overlap or the 'from' address will be invalidated as the temporary value-
    object is re-allocated to fit the new character set.
=== modified file 'sql/field.cc'
--- a/sql/field.cc	2008-05-06 16:43:46 +0000
+++ b/sql/field.cc	2008-09-15 21:29:12 +0000
@@ -7001,11 +7001,21 @@ int Field_blob::store(const char *from,u
       bmove(ptr+packlength,(char*) &from,sizeof(char*));
       return 0;
     }
+  }
+  
+  /*
+    If the 'from' string is in the address range of the temporary 'value'-
+    object we need to copy the string to different location or it will be
+    invalidated when the 'value'-object is reallocated to make room for
+    the new character set.
+  */
+  if (from >= value.ptr() && from <= value.ptr()+value.length())
+  {
     if (tmpstr.copy(from, length, cs))
       goto oom_error;
     from= tmpstr.ptr();
   }
-
+  
   new_length= min(max_data_length(), field_charset->mbmaxlen * length);
   if (value.alloc(new_length))
     goto oom_error;