Merge from 5.1-security

1 files changed, 11 insertions, 1 deletions

diff --git a/sql/sp_head.cc b/sql/sp_head.cc
index eb0eb8edc60..36eb50886f3 100644
--- a/sql/sp_head.cc
+++ b/sql/sp_head.cc
@@ -1038,12 +1038,22 @@ subst_spvars(THD *thd, sp_instr *instr, LEX_STRING *query_str)
   /*
     Allocate additional space at the end of the new query string for the
     query_cache_send_result_to_client function.
+
+    The query buffer layout is:
+       buffer :==
+            <statement>   The input statement(s)
+            '\0'          Terminating null char
+            <length>      Length of following current database name (size_t)
+            <db_name>     Name of current database
+            <flags>       Flags struct
   */
-  buf_len= qbuf.length() + thd->db_length + 1 + QUERY_CACHE_FLAGS_SIZE + 1;
+  buf_len= qbuf.length() + 1 + sizeof(size_t) + thd->db_length + 
+           QUERY_CACHE_FLAGS_SIZE + 1;
   if ((pbuf= (char *) alloc_root(thd->mem_root, buf_len)))
   {
     memcpy(pbuf, qbuf.ptr(), qbuf.length());
     pbuf[qbuf.length()]= 0;
+    *(size_t *)(pbuf+qbuf.length()+1)= thd->db_length;
   }
   else
     DBUG_RETURN(TRUE);