From cdb8358503e38d3f6bc4aca624c9da1e0211a42e Mon Sep 17 00:00:00 2001
From: "svoj@mysql.com/april.(none)" <>
Date: Wed, 25 Oct 2006 15:40:10 +0500
Subject: [PATCH] BUG#22053 - REPAIR table can crash server for some           
  really damaged MyISAM tables

When unpacking a blob column from broken row server crash
could happen. This could rather happen when trying to repair
a table using either REPAIR TABLE or myisamchk, though it
also could happend when trying to access broken row using
other SQL statements like SELECT if table is not marked as
crashed.

Fixed ulong overflow when trying to extract blob from
broken row.

Affects MyISAM only.
---
 myisam/mi_dynrec.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/myisam/mi_dynrec.c b/myisam/mi_dynrec.c
index 4dec3055fa1..727f44341b1 100644
--- a/myisam/mi_dynrec.c
+++ b/myisam/mi_dynrec.c
@@ -992,9 +992,11 @@ ulong _mi_rec_unpack(register MI_INFO *info, register byte *to, byte *from,
       {
 	uint size_length=rec_length- mi_portable_sizeof_char_ptr;
 	ulong blob_length=_mi_calc_blob_length(size_length,from);
-	if ((ulong) (from_end-from) - size_length < blob_length ||
-	    min_pack_length > (uint) (from_end -(from+size_length+blob_length)))
-	  goto err;
+        ulong from_left= (ulong) (from_end - from);
+        if (from_left < size_length ||
+            from_left - size_length < blob_length ||
+            from_left - size_length - blob_length < min_pack_length)
+          goto err;
 	memcpy((byte*) to,(byte*) from,(size_t) size_length);
 	from+=size_length;
 	memcpy_fixed((byte*) to+size_length,(byte*) &from,sizeof(char*));