Description:
When inserting a malformed INSERT query, I was able to crash the server.  The insert has to be specially crafted.  If I make just about any change it seems to no longer segfault (very specific about crash).

Verified in 4.0.21, 5.0.22, 5.1.10 against more than one machine/OS/architecture (probably exists in a lot more versions).

How to repeat:
Try running this:

DROP TABLE IF EXISTS `a`;
CREATE TABLE `a` (
  `a` longtext NOT NULL,
  `b` longtext NOT NULL
 ) DEFAULT CHARSET=latin1 ENGINE=MyISAM;

INSERT INTO `a` VALUES (' 
INSERT INTO `a` VALUES ('<?php\r\n\r\($t) {\r\n. "...";	.</p>\r\n\r\n<?php\r\n\r\nfunction shorten_text($text) {\r\n	return substr($text, 0, 75) . "...";	\r\n}\r\n\r\nforeach (get_NNN_for_sale() as $NNN_id => $array) {\r\n/*pict1, thumb, id, make, model, year, status*/\r\n$imgsrc = $array[''thumb''];\r\n$filename = "foo";\r\n$textlink = sprintf("%s %s %s", $array[''year''],\r\n	$array[''make''], $array[''model'']);\r\n\r\nprint "<div style=''float: left; width: 120px''>\r\n<a href=\\"NNN?id=$NNN_id&fake=/v/NNN/$NNN_id/$filename.html\\"><img src=''/uploadedimages/$imgsrc'' width=''100'' height=''75'' border=''0'' alt=''''></a>\r\n</div><div style=''float: left; width: 250px''>\r\n<h3><a href=\\"NNN?id=$NNN_id&fake=$filename.html\\">$textlink</a></h3>";\r\nprint shorten_text($array[''details'']);\r\nprint "</div><div style=''clear: both''></div>";\r\n\r\n/*\r\nif ($array[''status'']=="expectedsoon") {\r\n	print "<font color=''red''>- Expected Soon</font>";\r\n}\r\n*/\r\n\r\n}\r\n?>\r\n<!--break-->');

**Note**
This may not be reproducable from here if the bug system changes line wrappings.  In this case, see attached file instead.

steps to reproduce

Attachment: segfault-bug.sql (text/x-sql), 1.15 KiB.

Verified on Linux using 5.0 and 5.1 BK, but with exception: there is segmentation fault of client, not server.

Below is log:
ssmirnova@shella ~/mysql5.0b
$libexec/mysqld --defaults-file=support-files/my-small.cnf --skip-networking --basedir=. -ussmirnova --datadir=./data &
[1] 20367

ssmirnova@shella ~/mysql5.0b
$060719 12:00:54  InnoDB: Started; log sequence number 0 3316283
060719 12:00:54 [Note] libexec/mysqld: ready for connections.
Version: '5.0.25'  socket: '/tmp/mysql.sock'  port: 0  Source distribution

ssmirnova@shella ~/mysql5.0b
$ps -ef | grep mysql
10149    20367 19746  0 12:00 pts/19   00:00:00 libexec/mysqld --defaults-file=support-files/my-small.cnf --skip-networking --basedir=. -ussmirnova --datadir=./data

ssmirnova@shella ~/mysql5.0b
$bin/mysql --socket=/tmp/mysql.sock -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.25

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> source ../mysql5.1b/bug21142.sql
Query OK, 0 rows affected, 1 warning (0.00 sec)

Query OK, 0 rows affected (0.13 sec)

Segmentation fault

ssmirnova@shella ~/mysql5.0b
$ps -ef | grep mysql
10149    20367 19746  0 12:00 pts/19   00:00:00 libexec/mysqld --defaults-file=support-files/my-small.cnf --skip-networking --basedir=. -ussmirnova --datadir=./data

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10989

ChangeSet@1.2538, 2006-08-29 14:38:02+05:00, ramil@mysql.com +1 -0
  Fix for bug #21142: Malformed insert causes a segmentation fault.
    - possible stack overflow fixed.

Thank you, Ramil.  Looks fine.

Available in 5.0.26.

Available in 5.1.12-beta.

Noted in 5.0.26, 5.1.12 changelogs.

Certain malformed INSERT statements could crash the mysql client.

Available in 4.1.22.

The fix didn't make into 5.0.26, it was first in 5.0.30

Moved 5.0.26 changelog entry to 5.0.30.
Added entry to 4.1.22.