1 files changed, 25 insertions, 4 deletions

diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 267036e4a3d..f9210c842bb 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -2706,8 +2706,15 @@ String *Item_func_conv_charset::val_str(String *str)
   DBUG_ASSERT(fixed == 1);
   if (use_cached_value)
     return null_value ? 0 : &str_value;
-  String *arg= args[0]->val_str(str);
+  /* 
+    Here we don't pass 'str' as a parameter to args[0]->val_str()
+    as 'str' may points to 'str_value' (e.g. see Item::save_in_field()),
+    which we use below to convert string. 
+    Use argument's 'str_value' instead.
+  */
+  String *arg= args[0]->val_str(&args[0]->str_value);;
   uint dummy_errors;
+  arg= args[0]->val_str(&args[0]->str_value);  
   if (!arg)
   {
     null_value=1;
@@ -2943,7 +2950,7 @@ String *Item_load_file::val_str(String *str)
       )
     goto err;
 
-  (void) fn_format(path, file_name->c_ptr(), mysql_real_data_home, "",
+  (void) fn_format(path, file_name->c_ptr_safe(), mysql_real_data_home, "",
 		   MY_RELATIVE_PATH | MY_UNPACK_FILENAME);
 
   /* Read only allowed from within dir specified by secure_file_priv */
@@ -2969,7 +2976,7 @@ String *Item_load_file::val_str(String *str)
   }
   if (tmp_value.alloc(stat_info.st_size))
     goto err;
-  if ((file = my_open(file_name->c_ptr(), O_RDONLY, MYF(0))) < 0)
+  if ((file = my_open(file_name->ptr(), O_RDONLY, MYF(0))) < 0)
     goto err;
   if (my_read(file, (uchar*) tmp_value.ptr(), stat_info.st_size, MYF(MY_NABP)))
   {
@@ -3219,7 +3226,21 @@ longlong Item_func_uncompressed_length::val_int()
   if (res->is_empty()) return 0;
 
   /*
-    res->ptr() using is safe because we have tested that string is not empty,
+    If length is <= 4 bytes, data is corrupt. This is the best we can do
+    to detect garbage input without decompressing it.
+  */
+  if (res->length() <= 4)
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_ERROR,
+                        ER_ZLIB_Z_DATA_ERROR,
+                        ER(ER_ZLIB_Z_DATA_ERROR));
+    null_value= 1;
+    return 0;
+  }
+
+ /*
+    res->ptr() using is safe because we have tested that string is at least
+    5 bytes long.
     res->c_ptr() is not used because:
       - we do not need \0 terminated string to get first 4 bytes
       - c_ptr() tests simbol after string end (uninitialiozed memory) which