Fixed a memory overrun in dynamic columns when sending in a mailformed (too short in this case) string.

mysql-test/t/dyncol.test:
  Added test case for mailformed string usage
mysys/ma_dyncol.c:
  Added test for wrong dynamic string data

1 files changed, 9 insertions, 1 deletions

diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
index 6a8e4d689f3..a9cb3c42655 100644
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -1963,6 +1963,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
           type_and_offset_read(&tp, &offs, read, offset_size);
           if (k == start)
             first_offset= offs;
+          else if (offs < first_offset)
+          {
+            dynamic_column_column_free(&tmp);
+            rc= ER_DYNCOL_FORMAT;
+            goto end;
+          }
+
           offs+= plan[i].ddelta;
           int2store(write, nm);
           /* write rest of data at write + COLUMN_NUMBER_SIZE */
@@ -1979,7 +1986,8 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
           get_length_interval(header_base + start * entry_size,
                               header_base + end * entry_size,
                               header_end, offset_size, max_offset);
-        if ((long) data_size < 0)
+        if ((long) data_size < 0 ||
+            data_size > max_offset - first_offset)
         {
           dynamic_column_column_free(&tmp);
           rc= ER_DYNCOL_FORMAT;