Bug #26303: Reserve is not called before qs_append().

This may lead to buffer overflow.
The String::qs_append() function will append a string
without checking if there's enough space.
So qs_append() must be called beforehand to ensure 
there's enough space in the buffer for the subsequent 
qs_append() calls.
Fixed Item_case_expr::print() to make sure there's
enough space before appending data by adding a call to 
String::reserve() to make sure qs_append() will have 
enough space.


mysql-test/r/sp-code.result:
  Bug #26303: test case
mysql-test/t/sp-code.test:
  Bug #26303: test case
sql/item.cc:
  Bug #26303: added a call to String::reserve() to
   make sure qs_append will have enough space
sql/item.h:
  Bug #26303: m_case_expr_id made unsigned 
  because it's offset in an array.

1 files changed, 18 insertions, 0 deletions

diff --git a/mysql-test/t/sp-code.test b/mysql-test/t/sp-code.test
index 97bc29fcad2..1b33680cfaf 100644
--- a/mysql-test/t/sp-code.test
+++ b/mysql-test/t/sp-code.test
@@ -447,3 +447,21 @@ DROP PROCEDURE p1;
 
 
 --echo End of 5.0 tests.
+
+#
+# Bug #26303: reserve() not called before qs_append() may lead to buffer
+# overflow
+#
+DELIMITER //;
+CREATE PROCEDURE p1() 
+BEGIN 
+  DECLARE dummy int default 0;
+
+  CASE 12 
+    WHEN 12 
+    THEN SET dummy = 0;
+  END CASE;
+END//
+DELIMITER ;//
+SHOW PROCEDURE CODE p1;
+DROP PROCEDURE p1;