Fixed bug #30120.

SP with local variables with non-ASCII names crashed the server.

The server replaces SP local variable names with NAME_CONST calls
when putting statements into the binary log. It used UTF8-encoded
item names as variable names for the replacement inside NAME_CONST
calls. However, statement string may be encoded by any
known character set by the SET NAMES statement.
The server used byte length of UTF8-encoded names to increment
the position in the query string that led to array index overrun.


sql/item.cc:
  Fixed bug #30120.
  The Item_splocal class constructor has been modified to
  accept new parameter `len_in_q': the byte length of
  variable name in the query string.
sql/item.h:
  Fixed bug #30120.
  The Item_splocal class has been modified to keep new
  field `len_in_query': the byte length of variable name in
  the query string.
sql/sp_head.cc:
  Fixed bug #30120.
  The subst_spvars function has been modified to increment
  position in the query string by the lengths of not
  encoded variable names instead of byte length of names
  encoded to UTF-8.
sql/sql_yacc.yy:
  Fixed bug #30120.
  The simple_ident rule action has been modified to
  pass the byte length of the local variable name token
  to the Item_splocal object constructor.
mysql-test/t/sp.test:
  Updated test case for bug #30120.
mysql-test/r/sp.result:
  Updated test case for bug #30120.

1 files changed, 1 insertions, 1 deletions

diff --git a/sql/sp_head.cc b/sql/sp_head.cc
index fd8724b2171..8f4d407a5b0 100644
--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -864,7 +864,7 @@ subst_spvars(THD *thd, sp_instr *instr, LEX_STRING *query_str)
     
     /* append the text between sp ref occurences */
     res|= qbuf.append(cur + prev_pos, (*splocal)->pos_in_query - prev_pos);
-    prev_pos= (*splocal)->pos_in_query + (*splocal)->m_name.length;
+    prev_pos= (*splocal)->pos_in_query + (*splocal)->len_in_query;
     
     /* append the spvar substitute */
     res|= qbuf.append(STRING_WITH_LEN(" NAME_CONST('"));