From 4af4284b79ca05ca18c59051eca4705fc3b20181 Mon Sep 17 00:00:00 2001
From: Alexey Botchkov <holyfoot@askmonty.org>
Date: Wed, 29 Apr 2020 11:06:48 +0400
Subject: [PATCH] MDEV-22337 Assertion `Alloced_length >= (str_length + length
 +...

Fix pointer calculations in the Session_tracker::store.
Most of the fix for this bug goes to the 10.5, but this part should be also fixed
earlier.
---
 sql/session_tracker.cc | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sql/session_tracker.cc b/sql/session_tracker.cc
index 4ca94b6cd6036..7538295fcea8d 100644
--- a/sql/session_tracker.cc
+++ b/sql/session_tracker.cc
@@ -1693,7 +1693,7 @@ void Session_tracker::store(THD *thd, String *buf)
   }
 
   size_t length= buf->length() - start;
-  uchar *data= (uchar *)(buf->ptr() + start);
+  uchar *data;
   uint size;
 
   if ((size= net_length_size(length)) != 1)
@@ -1703,8 +1703,16 @@ void Session_tracker::store(THD *thd, String *buf)
       buf->length(start); // it is safer to have 0-length block in case of error
       return;
     }
+
+    /*
+      The 'buf->reserve()' can change the buf->ptr() so we cannot
+      calculate the 'data' earlier.
+    */
+    data= (uchar *)(buf->ptr() + start);
     memmove(data + (size - 1), data, length);
   }
+  else
+    data= (uchar *)(buf->ptr() + start);
 
   net_store_length(data - 1, length);
 }