wb_wc and wc_mb now checks length inside

11 files changed, 55 insertions, 5 deletions

diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 66f0510cc3d..03dd940db51 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -2014,9 +2014,8 @@ String *Item_func_conv_charset::val_str(String *str)
   d0=d=(unsigned char*)str->ptr();
   de=d+dmaxlen;
 
-  while (s < se && d < de)
+  while (1)
   {
-
     cnvres=from->mb_wc(from,&wc,s,se);
     if (cnvres>0)
     {
@@ -2089,8 +2088,8 @@ String *Item_func_conv_charset3::val_str(String *str)
   d0=d=(unsigned char*)str->ptr();
   de=d+dmaxlen;
 
-  while (s < se && d < de){
-
+  while (1)
+  {
     cnvres=from_charset->mb_wc(from_charset,&wc,s,se);
     if (cnvres>0)
     {
diff --git a/sql/sql_string.cc b/sql/sql_string.cc
index 0d604d043cc..654076c3f41 100644
--- a/sql/sql_string.cc
+++ b/sql/sql_string.cc
@@ -706,7 +706,7 @@ copy_and_convert(char *to, uint32 to_length, CHARSET_INFO *to_cs,
   char *to_start= to;
   uchar *to_end= (uchar*) to+to_length;
 
-  while ((uchar*) from < from_end)
+  while (1)
   {
     if ((cnvres=from_cs->mb_wc(from_cs, &wc, (uchar*) from, from_end)) > 0)
       from+= cnvres;
diff --git a/strings/ctype-big5.c b/strings/ctype-big5.c
index a475a36d049..37bf2aba509 100644
--- a/strings/ctype-big5.c
+++ b/strings/ctype-big5.c
@@ -6175,6 +6175,9 @@ my_wc_mb_big5(CHARSET_INFO *cs __attribute__((unused)),
 
   int code;
 
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+  
   if(wc<0x80)
   {
     s[0]=wc;
@@ -6200,6 +6203,9 @@ my_mb_wc_big5(CHARSET_INFO *cs __attribute__((unused)),
 
   int hi=s[0];
   
+  if (s >= e)
+    return MY_CS_TOOFEW(0);
+  
   if(hi<0x80)
   {
     pwc[0]=hi;
diff --git a/strings/ctype-bin.c b/strings/ctype-bin.c
index de137377c65..48d5536a2cb 100644
--- a/strings/ctype-bin.c
+++ b/strings/ctype-bin.c
@@ -96,6 +96,9 @@ static int my_mb_wc_bin(CHARSET_INFO *cs __attribute__((unused)),
 		  const unsigned char *str,
 		  const unsigned char *end __attribute__((unused)))
 {
+  if (str >= end)
+    return MY_CS_TOOFEW(0);
+  
   *wc=str[0];
   return 1;
 }
@@ -105,6 +108,9 @@ static int my_wc_mb_bin(CHARSET_INFO *cs __attribute__((unused)),
 		  unsigned char *s,
 		  unsigned char *e __attribute__((unused)))
 {
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+
   if (wc < 256)
   {
     s[0]= (char) wc;
diff --git a/strings/ctype-euc_kr.c b/strings/ctype-euc_kr.c
index ee75673e1c5..d4eebdcb4a9 100644
--- a/strings/ctype-euc_kr.c
+++ b/strings/ctype-euc_kr.c
@@ -8593,6 +8593,9 @@ my_wc_mb_euc_kr(CHARSET_INFO *cs __attribute__((unused)),
 {
   int code;
   
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+  
   if (wc<0x80)
   {
     s[0]=wc;
@@ -8618,6 +8621,9 @@ my_mb_wc_euc_kr(CHARSET_INFO *cs __attribute__((unused)),
   
   int hi=s[0];
   
+  if (s >= e)
+    return MY_CS_TOOFEW(0);
+  
   if (hi<0x80)
   {
     pwc[0]=hi;
diff --git a/strings/ctype-gb2312.c b/strings/ctype-gb2312.c
index 0820d03b2d0..b01053866be 100644
--- a/strings/ctype-gb2312.c
+++ b/strings/ctype-gb2312.c
@@ -5643,6 +5643,9 @@ my_wc_mb_gb2312(CHARSET_INFO *cs  __attribute__((unused)),
 {
   int code;
   
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+
   if (wc<0x80)
   {
     s[0]=wc;
@@ -5668,6 +5671,9 @@ my_mb_wc_gb2312(CHARSET_INFO *cs  __attribute__((unused)),
   
   hi=s[0];
   
+  if (s >= e)
+    return MY_CS_TOOFEW(0);
+  
   if(hi<0x80)
   {
     pwc[0]=hi;
diff --git a/strings/ctype-gbk.c b/strings/ctype-gbk.c
index 3aff098cd14..c65c9f2123e 100644
--- a/strings/ctype-gbk.c
+++ b/strings/ctype-gbk.c
@@ -9829,6 +9829,9 @@ my_wc_mb_gbk(CHARSET_INFO *cs  __attribute__((unused)),
 {
   int code;
   
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+  
   if (wc<0x80)
   {
     s[0]=wc;
@@ -9852,6 +9855,9 @@ my_mb_wc_gbk(CHARSET_INFO *cs __attribute__((unused)),
 {
   int hi;
   
+  if (s >= e)
+    return MY_CS_TOOFEW(0);
+  
   hi=s[0];
   
   if (hi<0x80)
diff --git a/strings/ctype-simple.c b/strings/ctype-simple.c
index 99d03e187b1..e028a027484 100644
--- a/strings/ctype-simple.c
+++ b/strings/ctype-simple.c
@@ -106,6 +106,9 @@ int my_mb_wc_8bit(CHARSET_INFO *cs,my_wc_t *wc,
 		  const unsigned char *str,
 		  const unsigned char *end __attribute__((unused)))
 {
+  if (str >= end)
+    return MY_CS_TOOFEW(0);
+  
   *wc=cs->tab_to_uni[*str];
   return (!wc[0] && str[0]) ? MY_CS_ILSEQ : 1;
 }
@@ -116,6 +119,9 @@ int my_wc_mb_8bit(CHARSET_INFO *cs,my_wc_t wc,
 {
   MY_UNI_IDX *idx;
 
+  if (str >= end)
+    return MY_CS_TOOSMALL;
+  
   for (idx=cs->tab_from_uni; idx->tab ; idx++)
   {
     if (idx->from <= wc && idx->to >= wc)
diff --git a/strings/ctype-sjis.c b/strings/ctype-sjis.c
index b19bcf1a45a..0408332ee30 100644
--- a/strings/ctype-sjis.c
+++ b/strings/ctype-sjis.c
@@ -4420,6 +4420,9 @@ my_wc_mb_sjis(CHARSET_INFO *cs  __attribute__((unused)),
 {
   int code;
   
+  if (s >= e)
+    return MY_CS_TOOSMALL;
+  
   if(wc<0x80)
   {
     s[0]=wc;
@@ -4442,6 +4445,9 @@ my_mb_wc_sjis(CHARSET_INFO *cs  __attribute__((unused)),
 	      my_wc_t *pwc, const uchar *s, const uchar *e){
   int hi=s[0];
   
+  if (s >= e)
+    return MY_CS_TOOFEW(0);
+  
   if(hi<0x80)
   {
     pwc[0]=hi;
diff --git a/strings/ctype-ujis.c b/strings/ctype-ujis.c
index 12e177a89be..211b42db470 100644
--- a/strings/ctype-ujis.c
+++ b/strings/ctype-ujis.c
@@ -8350,6 +8350,9 @@ my_wc_mb_euc_jp(CHARSET_INFO *c,my_wc_t wc, unsigned char *s, unsigned char *e)
   unsigned char buf[2];
   unsigned char c1;
   int ret,jp;
+
+  if (s >= e)
+    return MY_CS_TOOSMALL;
   
   if (wc<0x80)
   { 
diff --git a/strings/ctype-utf8.c b/strings/ctype-utf8.c
index a237b6f14a0..3f859223a15 100644
--- a/strings/ctype-utf8.c
+++ b/strings/ctype-utf8.c
@@ -1586,6 +1586,9 @@ static int my_utf8_uni (CHARSET_INFO *cs __attribute__((unused)) ,
 {
   unsigned char c = s[0];
   
+  if (s >= e)
+    return MY_CS_TOOFEW(0);
+
   if (c < 0x80) 
   {
     *pwc = c;
@@ -1688,6 +1691,9 @@ static int my_uni_utf8 (CHARSET_INFO *cs __attribute__((unused)) ,
 {
   int count;
 
+  if (r >= e)
+    return MY_CS_TOOSMALL;
+  
   if (wc < 0x80) 
     count = 1;
   else if (wc < 0x800)