Bug#12736295 Buffer overflow for variable converted_err with

non-latin1 server error message

The problem was a one byte buffer overflow in the conversion
of a error message between character sets. Ahead of explaining
the problem further, some background information. Before an
error message is sent to the user, the message is converted
to the character set specified in the character_set_results
variable. For various reasons, this conversion might cause
the message to increase in length -- for example, if certain
characters can't be represented in the result character set.

If the final message length is greater than the maximum allowed
length of a error message (MYSQL_ERRMSG_SIZE), the message
is truncated. The message is also always null-terminated
regardless of the character set. The problem arises from this
null-termination. If a message length reached the maximum,
the terminating null character would be placed one byte past
the end of the message buffer.

The solution is to reserve the end of the message buffer for
the null character.

mysql-test/r/ctype_errors.result

@@ -29,4 +29,14 @@ SET lc_messages=cs_CZ;
 SET NAMES UTF8;
 USE nonexistant;
 ERROR 42000: Nezn-Bámá databáze 'nonexistant'
-End of 5.4 tests
+#
+# Bug#12736295: Buffer overflow for variable converted_err
+#               with non-latin1 server error message
+#
+# Connection con1
+SET lc_messages=ru_RU;
+SET NAMES latin1;
+SELECT '01234567890123456789012345678901234\';
+ERROR 42000: \0423 \0432\0430\0441 \043E\0448\0438\0431\043A\0430 \0432 \0437\0430\043F\0440\043E\0441\0435. \0418\0437\0443\0447\0438\0442\0435 \0434\043E\043A\0443\043C\0435\043D\0442\0430\0446\0438\044E \043F\043E \0438\0441\043F\043E\043B\044C\0437\0443\0435\043C\043E\0439 \0432\0435\0440\0441\0438\0438 MySQL \043D\0430 \043F\0440\0435\0434\043C\0435\0442 \043A\043E\0440\0440\0435\043A\0442\043D\043E\0433\043E \0441\0438\043D\0442\0430\043A\0441\0438\0441\0430 \043E\043A\043E\043B\043E ''012345678901234567890123456
+# Connection default
+End of 5.5 tests

mysql-test/t/ctype_errors.test

@@ -44,4 +44,19 @@ USE nonexistant;
 disconnect con1;
 connection default;
 
---echo End of 5.4 tests
+--echo #
+--echo # Bug#12736295: Buffer overflow for variable converted_err
+--echo #               with non-latin1 server error message
+--echo #
+
+connect (con1,localhost,root,,test);
+--echo # Connection con1
+SET lc_messages=ru_RU;
+SET NAMES latin1;
+--error ER_PARSE_ERROR
+--query SELECT '01234567890123456789012345678901234\'
+disconnect con1;
+--echo # Connection default
+connection default;
+
+--echo End of 5.5 tests

sql/sql_error.cc

@@ -803,14 +803,16 @@ uint32 convert_error_message(char *to, uint32 to_length, CHARSET_INFO *to_cs,
   my_wc_t     wc;
   const uchar *from_end= (const uchar*) from+from_length;
   char *to_start= to;
-  uchar *to_end= (uchar*) to+to_length;
+  uchar *to_end;
   my_charset_conv_mb_wc mb_wc= from_cs->cset->mb_wc;
   my_charset_conv_wc_mb wc_mb;
   uint error_count= 0;
   uint length;
 
   DBUG_ASSERT(to_length > 0);
+  /* Make room for the null terminator. */
   to_length--;
+  to_end= (uchar*) (to + to_length);
 
   if (!to_cs || from_cs == to_cs || to_cs == &my_charset_bin)
   {