Bug #19216: Client crashes on long SELECT

 The server sends a number of columns to the client.
 It uses a limited "fast" function for that instead of the
 general one. This fast function cannot send numbers larger 
 than 2 bytes. 
 This causes the client to expect smaller number of columns. 
 The client writes outside of the allocated memory buffer 
 as a result.
 Fixed the server to use the general function to send column
 count.
 Fixed the client to check the column count before writing
 column data. 


mysql-test/t/mysql_client.test:
  Bug #19216: Client crashes on long SELECT
   - test case
sql/protocol.cc:
  Bug #19216: Client crashes on long SELECT
   - renamed the function for bether comprehention
     and made it local
   - used the right (non-local) function to transfer 
     the column count in Protocol::send_fields
sql/protocol.h:
  Bug #19216: Client crashes on long SELECT
   - made optimized net_store_length local
sql-common/client.c:
  Bug #19216: Client crashes on long SELECT
   - fixed the client to check for older servers (without the fix).

1 files changed, 2 insertions, 0 deletions

diff --git a/sql-common/client.c b/sql-common/client.c
index ff5f1ef150a..fb32eea33c7 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1173,6 +1173,8 @@ unpack_fields(MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
     for (row=data->data; row ; row = row->next,field++)
     {
       uchar *pos;
+      /* fields count may be wrong */
+      DBUG_ASSERT ((field - result) < fields);
       cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7);
       field->catalog  = strdup_root(alloc,(char*) row->data[0]);
       field->db       = strdup_root(alloc,(char*) row->data[1]);