Merge dev:/data0/mysqldev/my/build-200801111340-5.0.54a/mysql-5.0-release

into  pippilotta.erinye.com:/shared/home/df/mysql/build/mysql-5.0-build

extra/yassl/src/handshake.cpp

@@ -527,6 +527,11 @@ void ProcessOldClientHello(input_buffer& input, SSL& ssl)
     input.read(len, sizeof(len));
     uint16 randomLen;
     ato16(len, randomLen);
+    if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
+        randomLen > RAN_LEN) {
+        ssl.SetError(bad_input);
+        return;
+    }
 
     int j = 0;
     for (uint16 i = 0; i < ch.suite_len_; i += 3) {    

extra/yassl/src/template_instnt.cpp

@@ -101,6 +101,7 @@ template void ysArrayDelete<unsigned char>(unsigned char*);
 template void ysArrayDelete<char>(char*);
 
 template int min<int>(int, int);
+template uint16 min<uint16>(uint16, uint16);
 template unsigned int min<unsigned int>(unsigned int, unsigned int);
 template unsigned long min<unsigned long>(unsigned long, unsigned long);
 }

extra/yassl/src/yassl_imp.cpp

@@ -621,6 +621,10 @@ void HandShakeHeader::Process(input_buffer& input, SSL& ssl)
     }
 
     uint len = c24to32(length_);
+    if (len > input.get_remaining()) {
+        ssl.SetError(bad_input);
+        return;
+    }
     hashHandShake(ssl, input, len);
 
     hs->set_length(len);
@@ -1391,10 +1395,15 @@ input_buffer& operator>>(input_buffer& input, ClientHello& hello)
     
     // Suites
     byte tmp[2];
+    uint16 len;
     tmp[0] = input[AUTO];
     tmp[1] = input[AUTO];
-    ato16(tmp, hello.suite_len_);
+    ato16(tmp, len);
+
+    hello.suite_len_ = min(len, static_cast<uint16>(MAX_SUITE_SZ));
     input.read(hello.cipher_suites_, hello.suite_len_);
+    if (len > hello.suite_len_) // ignore extra suites
+        input.set_current(input.get_current() + len -  hello.suite_len_);
 
     // Compression
     hello.comp_len_ = input[AUTO];