From 3a3f8379cb37a8ba134728ace0c8f34fc63a8c37 Mon Sep 17 00:00:00 2001
From: "evgen@moonbone.local" <>
Date: Wed, 8 Feb 2006 15:12:48 +0300
Subject: [PATCH] Fixed bug#16752 Binary table files created in mysqld v4.1
 caused buffer overrun   and possibly server crash in mysqld v5.0.

Reported MyISAM table was created in mysqld 4.1 and contains varchar field.
When binary files of that table was moved to 5.0, mysqld treats that varchar
field as a string field.
In order to make grouping server calculates group buffer, and because
that field is string server assumes it has fixed length and doesn't add
space for length, but later that field is converted to varchar field.
Due to this, when field values were actually copied, additional space for
length bytes is taken and buffer overrun occurs, which may lead to server crash.

The calc_group_buffer() function now reserves additional space for length
bytes for VAR_STRING fields, like for VARCHAR fields.
---
 sql/sql_select.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sql/sql_select.cc b/sql/sql_select.cc
index 63d46934555..aa2228ec0d8 100644
--- a/sql/sql_select.cc
+++ b/sql/sql_select.cc
@@ -12717,11 +12717,12 @@ calc_group_buffer(JOIN *join,ORDER *group)
     Field *field= group_item->get_tmp_table_field();
     if (field)
     {
-      if (field->type() == FIELD_TYPE_BLOB)
+      enum_field_types type;
+      if ((type= field->type()) == FIELD_TYPE_BLOB)
 	key_length+=MAX_BLOB_WIDTH;		// Can't be used as a key
-      else if (field->type() == MYSQL_TYPE_VARCHAR)
+      else if (type == MYSQL_TYPE_VARCHAR || type == MYSQL_TYPE_VAR_STRING)
         key_length+= field->field_length + HA_KEY_BLOB_LENGTH;
-      else if (field->type() == FIELD_TYPE_BIT)
+      else if (type == FIELD_TYPE_BIT)
       {
         /* Bit is usually stored as a longlong key for group fields */
         key_length+= 8;                         // Big enough