Bug#49134 5.1 server segfaults with 2byte collation file

Problem: add_collation did not check that cs->number is smaller than the number of elements in the array all_charsets[], so server could crash when loading an Index.xml file with a collation ID greater the number of elements (for example when downgrading from 5.5). Fix: adding a condition to check that cs->number is not out of valid range.
16 years ago · cff23162ec
2 changed files with 9 additions and 1 deletions
--- a/mysql-test/std_data/Index.xml
+++ b/mysql-test/std_data/Index.xml
@ -8,6 +8,13 @@
      </rules>
    </collation>

+   <collation name="utf8_hugeid_ci" id="2047000000">
+      <rules>
+        <reset>a</reset>
+        <s>b</s>
+      </rules>
+   </collation>
+
  </charset>

  <charset name="ucs2">
--- a/mysys/charset.c
+++ b/mysys/charset.c
@ -220,7 +220,8 @@ copy_uca_collation(CHARSET_INFO *to, CHARSET_INFO *from)
 static int add_collation(CHARSET_INFO *cs)
 {
  if (cs->name && (cs->number ||
-                   (cs->number=get_collation_number_internal(cs->name))))
+                   (cs->number=get_collation_number_internal(cs->name))) &&
+      cs->number < array_elements(all_charsets))
  {
    if (!all_charsets[cs->number])
    {