Merge with 3.23

innobase/dict/dict0dict.c:
  Auto merged
libmysql/libmysql.c:
  Auto merged
scripts/make_binary_distribution.sh:
  Auto merged
sql/mysqld.cc:
  Auto merged
sql/sql_udf.cc:
  Auto merged
sql/ha_innodb.cc:
  Auto merged
innobase/include/db0err.h:
  Skiped merge (Heikki wants to do this)
innobase/row/row0mysql.c:
  Skiped merge (Heikki wants to do this)
sql/sql_show.cc:
  Use local code

1 files changed, 9 insertions, 2 deletions

diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c
index 6965c1d79d8..49c110c738d 100644
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -982,7 +982,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
       else
       {
 	cur->data[field] = to;
-        if (to+len > end_to)
+        if (len > (ulong) (end_to - to))
         {
           free_rows(result);
           net->last_errno=CR_MALFORMED_PACKET;
@@ -1023,7 +1023,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
 {
   uint field;
   ulong pkt_len,len;
-  uchar *pos,*prev_pos;
+  uchar *pos,*prev_pos, *end_pos;
 
   if ((pkt_len=net_safe_read(mysql)) == packet_error)
     return -1;
@@ -1031,6 +1031,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     return 1;				/* End of data */
   prev_pos= 0;				/* allowed to write at packet[-1] */
   pos=mysql->net.read_pos;
+  end_pos=pos+pkt_len;
   for (field=0 ; field < fields ; field++)
   {
     if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
@@ -1040,6 +1041,12 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     }
     else
     {
+      if (len > (ulong) (end_pos - pos))
+      {
+        mysql->net.last_errno=CR_UNKNOWN_ERROR;
+        strmov(mysql->net.last_error,ER(mysql->net.last_errno));
+        return -1;
+      }
       row[field] = (char*) pos;
       pos+=len;
       *lengths++=len;