Merge mysql-5.0-bugteam into mysql-5.1-bugteam.

6 files changed, 56 insertions, 4 deletions

diff --git a/mysql-test/r/limit.result b/mysql-test/r/limit.result
index 2acf74162a4..caed588acdb 100644
--- a/mysql-test/r/limit.result
+++ b/mysql-test/r/limit.result
@@ -111,3 +111,6 @@ set @a=-14632475938453979136;
 execute s using @a, @a;
 ERROR HY000: Incorrect arguments to EXECUTE
 End of 5.0 tests
+select 1 as a limit 4294967296,10;
+a
+End of 5.1 tests
diff --git a/mysql-test/r/sp.result b/mysql-test/r/sp.result
index 651f0b235d5..4052cd58c0f 100644
--- a/mysql-test/r/sp.result
+++ b/mysql-test/r/sp.result
@@ -6846,6 +6846,19 @@ select substr(`str`, `pos`+ 1 ) into `str`;
 end $
 call `p2`('s s s s s s');
 drop procedure `p2`;
+drop table if exists t1;
+drop procedure if exists p1;
+create procedure p1() begin select * from t1; end$
+call p1$
+ERROR 42S02: Table 'test.t1' doesn't exist
+create table t1 (a integer)$
+call p1$
+a
+alter table t1 add b integer;
+call p1$
+a
+drop table t1;
+drop procedure p1;
 # ------------------------------------------------------------------
 # -- End of 5.0 tests
 # ------------------------------------------------------------------
diff --git a/mysql-test/t/limit.test b/mysql-test/t/limit.test
index 9cccca1adc3..5847b90367a 100644
--- a/mysql-test/t/limit.test
+++ b/mysql-test/t/limit.test
@@ -95,3 +95,11 @@ set @a=-14632475938453979136;
 execute s using @a, @a;
 
 --echo End of 5.0 tests
+
+#
+# Bug#37075: offset of limit clause might be truncated to 0 on 32-bits server w/o big tables
+#
+
+select 1 as a limit 4294967296,10;
+
+--echo End of 5.1 tests
diff --git a/mysql-test/t/sp.test b/mysql-test/t/sp.test
index c1e8d4b6f6c..632201a9e77 100644
--- a/mysql-test/t/sp.test
+++ b/mysql-test/t/sp.test
@@ -8041,6 +8041,28 @@ delimiter ;$
 call `p2`('s s s s s s');
 drop procedure `p2`;
 
+#
+# Bug#38823: Invalid memory access when a SP statement does wildcard expansion
+#
+
+--disable_warnings
+drop table if exists t1;
+drop procedure if exists p1;
+--enable_warnings
+
+delimiter $;
+create procedure p1() begin select * from t1; end$
+--error ER_NO_SUCH_TABLE
+call p1$
+create table t1 (a integer)$
+call p1$
+alter table t1 add b integer;
+call p1$
+delimiter ;$
+
+drop table t1;
+drop procedure p1;
+
 --echo # ------------------------------------------------------------------
 --echo # -- End of 5.0 tests
 --echo # ------------------------------------------------------------------
diff --git a/sql/item.cc b/sql/item.cc
index 31f5bc06a9f..7b7c44b4719 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -1805,7 +1805,8 @@ Item_field::Item_field(THD *thd, Name_resolution_context *context_arg,
     be allocated in the statement memory, not in table memory (the table
     structure can go away and pop up again between subsequent executions
     of a prepared statement or after the close_tables_for_reopen() call
-    in mysql_multi_update_prepare()).
+    in mysql_multi_update_prepare() or due to wildcard expansion in stored
+    procedures).
   */
   {
     if (db_name)
diff --git a/sql/sql_lex.cc b/sql/sql_lex.cc
index 4ac73baa992..983d53a041d 100644
--- a/sql/sql_lex.cc
+++ b/sql/sql_lex.cc
@@ -2397,15 +2397,20 @@ void st_select_lex_unit::set_limit(st_select_lex *sl)
   val= sl->select_limit ? sl->select_limit->val_uint() : HA_POS_ERROR;
   select_limit_val= (ha_rows)val;
 #ifndef BIG_TABLES
-  /* 
+  /*
     Check for overflow : ha_rows can be smaller then ulonglong if
     BIG_TABLES is off.
     */
   if (val != (ulonglong)select_limit_val)
     select_limit_val= HA_POS_ERROR;
 #endif
-  offset_limit_cnt= (ha_rows)(sl->offset_limit ? sl->offset_limit->val_uint() :
-                                                 ULL(0));
+  val= sl->offset_limit ? sl->offset_limit->val_uint() : ULL(0);
+  offset_limit_cnt= (ha_rows)val;
+#ifndef BIG_TABLES
+  /* Check for truncation. */
+  if (val != (ulonglong)offset_limit_cnt)
+    offset_limit_cnt= HA_POS_ERROR;
+#endif
   select_limit_cnt= select_limit_val + offset_limit_cnt;
   if (select_limit_cnt < select_limit_val)
     select_limit_cnt= HA_POS_ERROR;		// no limit