--- mysql-4.1.18/sql/sql_parse.cc	2006-01-27 09:25:55.000000000 -0700
+++ mysql-4.1.19/sql/sql_parse.cc	2006-04-28 23:35:48.000000000 -0600
@@ -906,13 +906,20 @@
     *passwd++ : strlen(passwd);
   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
     db + passwd_len + 1 : 0;
+  uint db_len= db ? strlen(db) : 0;
+
+  if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len)
+  {
+    inc_host_errors(&thd->remote.sin_addr);
+    return ER_HANDSHAKE_ERROR;
+  }
 
   /* Since 4.1 all database names are stored in utf8 */
   if (db)
   {
     db_buff[copy_and_convert(db_buff, sizeof(db_buff)-1,
                              system_charset_info,
-                             db, strlen(db),
+                             db, db_len,
                              thd->charset(), &dummy_errors)]= 0;
     db= db_buff;
   }
@@ -1379,7 +1386,17 @@
   {
     char *db, *tbl_name;
     uint db_len= *(uchar*) packet;
+    if (db_len >= packet_length || db_len > NAME_LEN)
+    {
+      send_error(thd, ER_UNKNOWN_COM_ERROR);
+      break;
+    }
     uint tbl_len= *(uchar*) (packet + db_len + 1);
+    if (db_len+tbl_len+2 > packet_length || tbl_len > NAME_LEN)
+    {
+      send_error(thd, ER_UNKNOWN_COM_ERROR);
+      break;
+    }
 
     statistic_increment(com_other, &LOCK_status);
     thd->enable_slow_log= opt_log_slow_admin_statements;