buckport to 5.1.26 from 6.0

Bug#35658 (An empty binary value leads to mysqld crash)
  
Before this fix, the following token
  b''
caused the parser to crash when reading the binary value from the empty string.
The crash was caused by:
  ptr+= max_length - 1;
because max_length is unsigned and was 0, causing an overflow.
  
With this fix, an empty binary literal b'' is parsed as a binary value 0,
in Item_bin_string.

mysql-test/r/varbinary.result:
  Bug#35658 (An empty binary value leads to mysqld crash)
mysql-test/t/varbinary.test:
  Bug#35658 (An empty binary value leads to mysqld crash)
sql/item.cc:
  Bug#35658 (An empty binary value leads to mysqld crash)

1 files changed, 18 insertions, 11 deletions

diff --git a/sql/item.cc b/sql/item.cc
index 96408a70bdd..5ee394fcbe0 100644
--- a/sql/item.cc
+++ b/sql/item.cc
@@ -5172,21 +5172,28 @@ Item_bin_string::Item_bin_string(const char *str, uint str_length)
   if (!ptr)
     return;
   str_value.set(ptr, max_length, &my_charset_bin);
-  ptr+= max_length - 1;
-  ptr[1]= 0;                     // Set end null for string
-  for (; end >= str; end--)
+
+  if (max_length > 0)
   {
-    if (power == 256)
+    ptr+= max_length - 1;
+    ptr[1]= 0;                     // Set end null for string
+    for (; end >= str; end--)
     {
-      power= 1;
-      *ptr--= bits;
-      bits= 0;     
+      if (power == 256)
+      {
+        power= 1;
+        *ptr--= bits;
+        bits= 0;
+      }
+      if (*end == '1')
+        bits|= power;
+      power<<= 1;
     }
-    if (*end == '1')
-      bits|= power; 
-    power<<= 1;
+    *ptr= (char) bits;
   }
-  *ptr= (char) bits;
+  else
+    ptr[0]= 0;
+
   collation.set(&my_charset_bin, DERIVATION_COERCIBLE);
   fixed= 1;
 }