From 9c47ea838078a33ef7fad6d13697c9190c8035b6 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mysql.com>
Date: Tue, 15 Dec 2009 13:48:29 +0400
Subject: [PATCH] Bug#49134 5.1 server segfaults with 2byte collation file

Problem: add_collation did not check that cs->number is smaller
than the number of elements in the array all_charsets[],
so server could crash when loading an Index.xml file with
a collation ID greater the number of elements
(for example when downgrading from 5.5).

Fix: adding a condition to check that cs->number is not out of valid range.
---
 mysql-test/std_data/Index.xml | 7 +++++++
 mysys/charset.c               | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/mysql-test/std_data/Index.xml b/mysql-test/std_data/Index.xml
index 3dc647d8195..b8f61d59203 100644
--- a/mysql-test/std_data/Index.xml
+++ b/mysql-test/std_data/Index.xml
@@ -8,6 +8,13 @@
       </rules>
     </collation>
 
+   <collation name="utf8_hugeid_ci" id="2047000000">
+      <rules>
+        <reset>a</reset>
+        <s>b</s>
+      </rules>
+   </collation>
+
   </charset>
 
   <charset name="ucs2">
diff --git a/mysys/charset.c b/mysys/charset.c
index d59be4ab6c7..b1b91d716ba 100644
--- a/mysys/charset.c
+++ b/mysys/charset.c
@@ -220,7 +220,8 @@ copy_uca_collation(CHARSET_INFO *to, CHARSET_INFO *from)
 static int add_collation(CHARSET_INFO *cs)
 {
   if (cs->name && (cs->number ||
-                   (cs->number=get_collation_number_internal(cs->name))))
+                   (cs->number=get_collation_number_internal(cs->name))) &&
+      cs->number < array_elements(all_charsets))
   {
     if (!all_charsets[cs->number])
     {