Bug#25172: Not checked buffer size leads to a server crash.

After fix for bug#21798 JOIN stores the pointer to the buffer for sorting
fields. It is used while sorting for grouping and for ordering. If ORDER BY
clause has more elements then the GROUP BY clause then a memory overrun occurs.

Now the length of the ORDER BY list is always passed to the 
make_unireg_sortorder() function and it allocates buffer big enough to be
used for bigger list.


sql/sql_delete.cc:
  Bug#25172: Not checked buffer size leads to a server crash.
  Length parameter is initialized to 0 for the make_unireg_sortorder() function.
sql/sql_select.cc:
  Bug#25172: Not checked buffer size leads to a server crash.
  Now the length of the ORDER BY list is always passed to the 
  make_unireg_sortorder() function and it allocates buffer big enough to be
  used for bigger list.
sql/sql_table.cc:
  Bug#25172: Not checked buffer size leads to a server crash.
  Length parameter is initialized to 0 for the make_unireg_sortorder() function.
sql/sql_update.cc:
  Bug#25172: Not checked buffer size leads to a server crash.
  Length parameter is initialized to 0 for the make_unireg_sortorder() function.
mysql-test/r/select.result:
  Added a test case for bug#25172: Not checked buffer size leads to a server crash.
mysql-test/t/select.test:
  Added a test case for bug#25172: Not checked buffer size leads to a server crash.

1 files changed, 1 insertions, 1 deletions

diff --git a/sql/sql_update.cc b/sql/sql_update.cc
index abffd704188..76d4847f923 100644
--- a/sql/sql_update.cc
+++ b/sql/sql_update.cc
@@ -304,7 +304,7 @@ int mysql_update(THD *thd,
 	Doing an ORDER BY;  Let filesort find and sort the rows we are going
 	to update
       */
-      uint         length;
+      uint         length= 0;
       SORT_FIELD  *sortorder;
       ha_rows examined_rows;