Correct fix for buffer overruns for compressed blobs.

(Bugs #770, #1304 and maybe #1295)

2 files changed, 4 insertions, 2 deletions

diff --git a/myisam/mi_packrec.c b/myisam/mi_packrec.c
index 1bd39aa900b..b21bf0b2163 100644
--- a/myisam/mi_packrec.c
+++ b/myisam/mi_packrec.c
@@ -743,7 +743,7 @@ static void uf_blob(MI_COLUMNDEF *rec, MI_BIT_BUFF *bit_buff,
   {
     ulong length=get_bits(bit_buff,rec->space_length_bits);
     uint pack_length=(uint) (end-to)-mi_portable_sizeof_char_ptr;
-    if (bit_buff->blob_pos+length > bit_buff->end)
+    if (bit_buff->blob_pos+length > bit_buff->blob_end)
     {
       bit_buff->error=1;
       bzero((byte*) to,(end-to));
@@ -1067,6 +1067,7 @@ uint _mi_pack_get_block_info(MI_INFO *myisam, MI_BLOCK_INFO *info, File file,
 			    &myisam->rec_buff)))
       return BLOCK_FATAL_ERROR;			/* not enough memory */
     myisam->bit_buff.blob_pos=(uchar*) myisam->rec_buff+info->rec_len;
+    myisam->bit_buff.blob_end= myisam->bit_buff.blob_pos+info->blob_len;
     myisam->blob_length=info->blob_len;
   }
   info->filepos=filepos+head_length;
@@ -1243,6 +1244,7 @@ static uchar *_mi_mempack_get_block_info(MI_INFO *myisam,MI_BLOCK_INFO *info,
 			    &myisam->rec_buff)))
       return 0;				/* not enough memory */
     myisam->bit_buff.blob_pos=(uchar*) myisam->rec_buff;
+    myisam->bit_buff.blob_end= (uchar*) myisam->rec_buff + info->blob_len;
   }
   return header;
 }
diff --git a/myisam/myisamdef.h b/myisam/myisamdef.h
index 7631b245b9b..e1df1d73191 100644
--- a/myisam/myisamdef.h
+++ b/myisam/myisamdef.h
@@ -213,7 +213,7 @@ typedef uint mi_bit_type;
 typedef struct st_mi_bit_buff {		/* Used for packing of record */
   mi_bit_type current_byte;
   uint bits;
-  uchar *pos,*end,*blob_pos;
+  uchar *pos,*end,*blob_pos,*blob_end;
   uint error;
 } MI_BIT_BUFF;