Merge mysql-5.0-bugteam -> mysql-5.1-bugteam.

5 files changed, 32 insertions, 18 deletions

diff --git a/client/sql_string.cc b/client/sql_string.cc
index c41463999aa..82874a4b2ea 100644
--- a/client/sql_string.cc
+++ b/client/sql_string.cc
@@ -71,25 +71,22 @@ bool String::realloc(uint32 alloc_length)
     char *new_ptr;
     if (alloced)
     {
-      if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
-      {
-	Ptr=new_ptr;
-	Alloced_length=len;
-      }
-      else
-	return TRUE;				// Signal error
+      if (!(new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
+        return TRUE;				// Signal error
     }
     else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
     {
+      if (str_length > len - 1)
+        str_length= 0;
       if (str_length)				// Avoid bugs in memcpy on AIX
 	memcpy(new_ptr,Ptr,str_length);
       new_ptr[str_length]=0;
-      Ptr=new_ptr;
-      Alloced_length=len;
       alloced=1;
     }
     else
       return TRUE;			// Signal error
+    Ptr= new_ptr;
+    Alloced_length= len;
   }
   Ptr[alloc_length]=0;			// This make other funcs shorter
   return FALSE;
diff --git a/mysql-test/r/func_str.result b/mysql-test/r/func_str.result
index 0824f13cafc..e73d320596d 100644
--- a/mysql-test/r/func_str.result
+++ b/mysql-test/r/func_str.result
@@ -2519,4 +2519,10 @@ def					format(a, 2)	253	49	4	Y	0	31	8
 format(a, 2)
 1.33
 drop table t1;
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+h	i
+31.12.2008	AAAAAA, aaaaaa
+DROP TABLE t1;
 End of 5.0 tests
diff --git a/mysql-test/t/func_str.test b/mysql-test/t/func_str.test
index 5d77c678d52..b71dbe91467 100644
--- a/mysql-test/t/func_str.test
+++ b/mysql-test/t/func_str.test
@@ -1273,4 +1273,13 @@ select format(a, 2) from t1;
 --disable_metadata
 drop table t1;
 
+#
+# Bug #41868: crash or memory overrun with concat + upper, date_format functions
+#
+
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+DROP TABLE t1;
+
 --echo End of 5.0 tests
diff --git a/sql/sql_class.cc b/sql/sql_class.cc
index 118dc5af68f..597478933d6 100644
--- a/sql/sql_class.cc
+++ b/sql/sql_class.cc
@@ -1587,6 +1587,11 @@ bool select_send::send_data(List<Item> &items)
       my_message(ER_OUT_OF_RESOURCES, ER(ER_OUT_OF_RESOURCES), MYF(0));
       break;
     }
+    /*
+      Reset buffer to its original state, as it may have been altered in
+      Item::send().
+    */
+    buffer.set(buff, sizeof(buff), &my_charset_bin);
   }
   thd->sent_row_count++;
   if (thd->is_error())
diff --git a/sql/sql_string.cc b/sql/sql_string.cc
index 34b310931d6..3098e8ed044 100644
--- a/sql/sql_string.cc
+++ b/sql/sql_string.cc
@@ -71,25 +71,22 @@ bool String::realloc(uint32 alloc_length)
     char *new_ptr;
     if (alloced)
     {
-      if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
-      {
-	Ptr=new_ptr;
-	Alloced_length=len;
-      }
-      else
-	return TRUE;				// Signal error
+      if (!(new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
+        return TRUE;				// Signal error
     }
     else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
     {
+      if (str_length > len - 1)
+        str_length= 0;
       if (str_length)				// Avoid bugs in memcpy on AIX
 	memcpy(new_ptr,Ptr,str_length);
       new_ptr[str_length]=0;
-      Ptr=new_ptr;
-      Alloced_length=len;
       alloced=1;
     }
     else
       return TRUE;			// Signal error
+    Ptr= new_ptr;
+    Alloced_length= len;
   }
   Ptr[alloc_length]=0;			// This make other funcs shorter
   return FALSE;