From 5cfc7799a33576bb638652bac6e341570c80a7e1 Mon Sep 17 00:00:00 2001
From: Alexander Barkov <bar@mariadb.com>
Date: Fri, 26 Apr 2019 14:01:21 +0400
Subject: [PATCH] MDEV-16518 MYSQL57_GENERATED_FIELD: The code in
 TABLE_SHARE::init_from_binary_frm_image() is not safe

---
 mysql-test/std_data/frm/mdev16518.frm    | Bin 0 -> 8619 bytes
 mysql-test/suite/vcol/r/vcol_misc.result |  16 ++++++++++++++++
 mysql-test/suite/vcol/t/vcol_misc.test   |  23 +++++++++++++++++++++++
 sql/table.cc                             |   3 ++-
 4 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 mysql-test/std_data/frm/mdev16518.frm

diff --git a/mysql-test/std_data/frm/mdev16518.frm b/mysql-test/std_data/frm/mdev16518.frm
new file mode 100644
index 0000000000000000000000000000000000000000..72a4c41f0b4f3c4de8471b474ce4c4c813cdd36e
GIT binary patch
literal 8619
zcmeI&K?;IE6b9hm85ND7h!EVl39=S;ga}$n(XQPbV`kS)Izad6SWQn%bJ<epf15Y&
zR|fgEzE_aO8kh&bP8xFbr4l4S)XdV`noC<ff#Nfxss=+BvQvNp6rcbFC_n)UP=Epy
zpa2CZFggJR-+$Bh)JNSRMt!VLmuovuyO^B<6rcbFC_n)UP=Epypa2CZK!LFfJOcUY
z|Hl<TV~>Lf<VbsmGcw76nLG=%T9(C+g%HZh&V+J^p{+xxvJ48?-sQTe*{5iN$smZe
b1dArPwQqRqowv?Ib~3Ow))bq<I8(j>iK87s

literal 0
HcmV?d00001

diff --git a/mysql-test/suite/vcol/r/vcol_misc.result b/mysql-test/suite/vcol/r/vcol_misc.result
index bedc44e7fc41b..291a954baf636 100644
--- a/mysql-test/suite/vcol/r/vcol_misc.result
+++ b/mysql-test/suite/vcol/r/vcol_misc.result
@@ -409,3 +409,19 @@ Warning	1918	Encountered illegal value '\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7' when c
 #
 # End of 10.1 tests
 #
+#
+# Start of 10.2 tests
+#
+#
+# MDEV-16518 MYSQL57_GENERATED_FIELD: The code in TABLE_SHARE::init_from_binary_frm_image() is not safe
+#
+SHOW TABLES;
+Tables_in_test
+t1
+SHOW CREATE TABLE t1;
+ERROR HY000: Incorrect information in file: './test/t1.frm'
+ALTER TABLE t1;
+ERROR HY000: Incorrect information in file: './test/t1.frm'
+#
+# End of 10.2 tests
+#
diff --git a/mysql-test/suite/vcol/t/vcol_misc.test b/mysql-test/suite/vcol/t/vcol_misc.test
index b351e1eb4a6b4..255621845fbf2 100644
--- a/mysql-test/suite/vcol/t/vcol_misc.test
+++ b/mysql-test/suite/vcol/t/vcol_misc.test
@@ -371,3 +371,26 @@ SELECT COLUMN_GET(@aaa, 'price' AS DOUBLE) aaa;
 --echo #
 --echo # End of 10.1 tests
 --echo #
+
+
+--echo #
+--echo # Start of 10.2 tests
+--echo #
+
+--echo #
+--echo # MDEV-16518 MYSQL57_GENERATED_FIELD: The code in TABLE_SHARE::init_from_binary_frm_image() is not safe
+--echo #
+
+--copy_file std_data/frm/mdev16518.frm $MYSQLD_DATADIR/test/t1.frm
+SHOW TABLES;
+--replace_result $MYSQLD_DATADIR ./
+--error ER_NOT_FORM_FILE
+SHOW CREATE TABLE t1;
+--replace_result $MYSQLD_DATADIR ./
+--error ER_NOT_FORM_FILE
+ALTER TABLE t1;
+--remove_file $MYSQLD_DATADIR/test/t1.frm
+
+--echo #
+--echo # End of 10.2 tests
+--echo #
diff --git a/sql/table.cc b/sql/table.cc
index 2cf21c889e2f2..5337a50621588 100644
--- a/sql/table.cc
+++ b/sql/table.cc
@@ -1839,7 +1839,8 @@ int TABLE_SHARE::init_from_binary_frm_image(THD *thd, bool write,
           goto err;
         vcol_info= new (&share->mem_root) Virtual_column_info();
         vcol_info_length= uint2korr(vcol_screen_pos + 1);
-        DBUG_ASSERT(vcol_info_length);
+        if (!vcol_info_length) // Expect non-empty expression
+          goto err;
         vcol_info->stored_in_db= vcol_screen_pos[3];
         vcol_info->utf8= 0;
         vcol_screen_pos+= vcol_info_length + MYSQL57_GCOL_HEADER_SIZE;;