backport from 6.0

      
Bug#35658 (An empty binary value leads to mysqld crash)
        
Before this fix, the following token
  b''
caused the parser to crash when reading the binary value from the empty string.
The crash was caused by:
  ptr+= max_length - 1;
because max_length is unsigned and was 0, causing an overflow.
        
With this fix, an empty binary literal b'' is parsed as a binary value 0,
in Item_bin_string.

mysql-test/r/varbinary.result:
  Bug#35658 (An empty binary value leads to mysqld crash)
mysql-test/t/varbinary.test:
  Bug#35658 (An empty binary value leads to mysqld crash)
sql/item.cc:
  Bug#35658 (An empty binary value leads to mysqld crash)

1 files changed, 18 insertions, 11 deletions

diff --git a/sql/item.cc b/sql/item.cc
index 9ff1f8c0084..bf447581afa 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -5013,21 +5013,28 @@ Item_bin_string::Item_bin_string(const char *str, uint str_length)
   if (!ptr)
     return;
   str_value.set(ptr, max_length, &my_charset_bin);
-  ptr+= max_length - 1;
-  ptr[1]= 0;                     // Set end null for string
-  for (; end >= str; end--)
+
+  if (max_length > 0)
   {
-    if (power == 256)
+    ptr+= max_length - 1;
+    ptr[1]= 0;                     // Set end null for string
+    for (; end >= str; end--)
     {
-      power= 1;
-      *ptr--= bits;
-      bits= 0;     
+      if (power == 256)
+      {
+        power= 1;
+        *ptr--= bits;
+        bits= 0;
+      }
+      if (*end == '1')
+        bits|= power;
+      power<<= 1;
     }
-    if (*end == '1')
-      bits|= power; 
-    power<<= 1;
+    *ptr= (char) bits;
   }
-  *ptr= (char) bits;
+  else
+    ptr[0]= 0;
+
   collation.set(&my_charset_bin, DERIVATION_COERCIBLE);
   fixed= 1;
 }