3 files changed, 23 insertions, 1 deletions
diff --git a/mysql-test/r/dyncol.result b/mysql-test/r/dyncol.result
index 850c7519784..aaa942f455a 100644
--- a/mysql-test/r/dyncol.result
+++ b/mysql-test/r/dyncol.result
@@ -1228,3 +1228,9 @@ NULL	NULL
 0002000100030200230861626308636465	2
 SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1;
 DROP TABLE t1;
+#
+# Some dynamic strings that caused crashes in the past
+#
+set @a=0x0102000200030004000F0D086B74697A6A7176746F6B687563726A746E7A746A666163726C6F7A6B62636B6B756B666779666977617369796F67756C726D62677A72756E63626D78636D7077706A6F736C6D636464696770786B6371637A6A6A6463737A6A676879716462637178646C666E6B6C726A637677696E7271746C616D646368687A6C707869786D666F666261797470616A63797673737A796D74747475666B717573687A79696E7276706F796A6E767361796A6F6D646F6378677A667074746363736A796D67746C786F697873686464616265616A7A6F7168707A6B776B6376737A6B72666C6F666C69636163686F6B666D627166786A71616F;
+select column_add(@a, 3, "a");
+ERROR HY000: Encountered illegal format of dynamic column string
diff --git a/mysql-test/t/dyncol.test b/mysql-test/t/dyncol.test
index eb6403feba3..7eb687b7eff 100644
--- a/mysql-test/t/dyncol.test
+++ b/mysql-test/t/dyncol.test
@@ -498,3 +498,11 @@ SELECT HEX(COLUMN_ADD(f1, 1, 'abc')), COLUMN_LIST(f1) FROM t1;
 SELECT COLUMN_ADD(f1, 1, 'abc'), COLUMN_LIST(f1) FROM t1;
 --enable_result_log
 DROP TABLE t1;
+
+--echo #
+--echo # Some dynamic strings that caused crashes in the past
+--echo #
+
+set @a=0x0102000200030004000F0D086B74697A6A7176746F6B687563726A746E7A746A666163726C6F7A6B62636B6B756B666779666977617369796F67756C726D62677A72756E63626D78636D7077706A6F736C6D636464696770786B6371637A6A6A6463737A6A676879716462637178646C666E6B6C726A637677696E7271746C616D646368687A6C707869786D666F666261797470616A63797673737A796D74747475666B717573687A79696E7276706F796A6E767361796A6F6D646F6378677A667074746363736A796D67746C786F697873686464616265616A7A6F7168707A6B776B6376737A6B72666C6F666C69636163686F6B666D627166786A71616F;
+--error ER_DYN_COL_WRONG_FORMAT
+select column_add(@a, 3, "a");
diff --git a/mysys/ma_dyncol.c b/mysys/ma_dyncol.c
index 6a8e4d689f3..a9cb3c42655 100644
--- a/mysys/ma_dyncol.c
+++ b/mysys/ma_dyncol.c
@@ -1963,6 +1963,13 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
           type_and_offset_read(&tp, &offs, read, offset_size);
           if (k == start)
             first_offset= offs;
+          else if (offs < first_offset)
+          {
+            dynamic_column_column_free(&tmp);
+            rc= ER_DYNCOL_FORMAT;
+            goto end;
+          }
+
           offs+= plan[i].ddelta;
           int2store(write, nm);
           /* write rest of data at write + COLUMN_NUMBER_SIZE */
@@ -1979,7 +1986,8 @@ dynamic_column_update_many(DYNAMIC_COLUMN *str,
           get_length_interval(header_base + start * entry_size,
                               header_base + end * entry_size,
                               header_end, offset_size, max_offset);
-        if ((long) data_size < 0)
+        if ((long) data_size < 0 ||
+            data_size > max_offset - first_offset)
         {
           dynamic_column_column_free(&tmp);
           rc= ER_DYNCOL_FORMAT;