Fixed bug #16510: Updating field named like '*name' caused server crash.

When setup_fields() function finds field named '*' it expands it to the list
of all table fields. It does so by checking that the first char of
field_name is '*', but it doesn't checks that the '* is the only char.
Due to this, when updating table with a field named like '*name', such field
is wrongly treated as '*' and expanded. This leads to making list of fields
to update being longer than list of the new values. Later, the fill_record() 
function crashes by dereferencing null when there is left fields to update,
but no more values.

Added check in the setup_fields() function which ensures that the field
expanding will be done only when '*' is the only char in the field name.


mysql-test/t/update.test:
  Added test case for bug#16510: Updating field named like '*name' caused server crash
mysql-test/r/update.result:
  Added test case for bug#16510: Updating field named like '*name' caused server crash
sql/sql_base.cc:
  Fixed bug #16510: Updating field named like '*name' caused server crash.
  Added check in the setup_fields() function which ensures that the field
  expanding will be done only when '*' is the only char in the field name.

1 files changed, 1 insertions, 0 deletions

diff --git a/sql/sql_base.cc b/sql/sql_base.cc
index 4f52904a61e..42a2e692d21 100644
--- a/sql/sql_base.cc
+++ b/sql/sql_base.cc
@@ -1983,6 +1983,7 @@ int setup_fields(THD *thd, TABLE_LIST *tables, List<Item> &fields,
     */
     if (item->type() == Item::FIELD_ITEM &&
 	((Item_field*) item)->field_name[0] == '*' &&
+        ((Item_field*) item)->field_name[1] == 0 &&
 	!((Item_field*) item)->field)
     {
       uint elem=fields.elements;