Bug#14834378 ADDRESSSANITIZER BUG IN FILENAME_TO_TABLENAME

Backport to 5.5


sql/sql_table.cc:
  gcc asan crashes in filename_to_tablename() on this: memcmp("-@", "#sql", 4)
  during loading of the innobase plugin

2 files changed, 5 insertions, 2 deletions

diff --git a/sql/sql_table.cc b/sql/sql_table.cc
index cb03411b9ef..c31ba5bb259 100644
--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -378,7 +378,8 @@ uint filename_to_tablename(const char *from, char *to, uint to_length
   DBUG_ENTER("filename_to_tablename");
   DBUG_PRINT("enter", ("from '%s'", from));
 
-  if (!memcmp(from, tmp_file_prefix, tmp_file_prefix_length))
+  if (strlen(from) >= tmp_file_prefix_length &&
+      !memcmp(from, tmp_file_prefix, tmp_file_prefix_length))
   {
     /* Temporary table name. */
     res= (strnmov(to, from, to_length) - to);
diff --git a/strings/ctype-utf8.c b/strings/ctype-utf8.c
index 343884827e1..4976a9cf31a 100644
--- a/strings/ctype-utf8.c
+++ b/strings/ctype-utf8.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Library General Public
@@ -4391,6 +4391,8 @@ my_mb_wc_filename(CHARSET_INFO *cs __attribute__((unused)),
     return MY_CS_TOOSMALL3;
   
   byte1= s[1];
+  if (byte1 == 0)
+    return MY_CS_ILSEQ; /* avoid possible out-of-bounds read */
   byte2= s[2];
   
   if (byte1 >= 0x30 && byte1 <= 0x7F &&