From 48cbd14165a2d3d4d5c33fd7a4c9ad198dee5dd3 Mon Sep 17 00:00:00 2001
From: Venkata Sidagam <venkata.sidagam@oracle.com>
Date: Wed, 31 Oct 2012 18:32:53 +0530
Subject: [PATCH] BUG#13556441: CHECK AND REPAIR TABLE SHOULD BE MORE ROBUST
 [4]

Problem description:
mysql server crashes when we run repair table on currupted table.

Analysis:
The problem with this bug seem to be key_reflength out of bounds
(186 according to debugger). We read this value from meta-data
segment of .MYI file while doing mi_open().

If you look into _mi_kpointer() you can see that the upper limit
for key_reflength is 7.

Solution:
In mi_open() there is a line like:
  if (share->base.keystart > 65535 || share->base.rec_reflength > 8)
we should verify key_reflength here as well.
---
 storage/myisam/mi_open.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/storage/myisam/mi_open.c b/storage/myisam/mi_open.c
index 86cf25b59ef..5951aef6d4f 100644
--- a/storage/myisam/mi_open.c
+++ b/storage/myisam/mi_open.c
@@ -232,7 +232,8 @@ MI_INFO *mi_open(const char *name, int mode, uint open_flags)
     }
 
     /* sanity check */
-    if (share->base.keystart > 65535 || share->base.rec_reflength > 8)
+    if (share->base.keystart > 65535 || 
+        share->base.rec_reflength > 8 || share->base.key_reflength > 7) 
     {
       my_errno=HA_ERR_CRASHED;
       goto err;