--- sql/sql_parse.cc 2010-03-29 16:51:28.000000000 +0200 +++ sql/sql_parse.cc.oden 2010-05-26 13:57:39.653207091 +0200 @@ -1303,8 +1303,16 @@ bool dispatch_command(enum enum_server_c We have name + wildcard in packet, separated by endzero */ arg_end= strend(packet); + uint arg_length= arg_end - packet; + + /* Check given table name length. */ + if (arg_length >= packet_length || arg_length > NAME_LEN) + { + my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0)); + break; + } thd->convert_string(&conv_name, system_charset_info, - packet, (uint) (arg_end - packet), thd->charset()); + packet, arg_length, thd->charset()); table_list.alias= table_list.table_name= conv_name.str; packet= arg_end + 1;