Description:
In sp.cc, function sp_cache_routines_and_add_tables_aux()
the following code is used:
        if (!thd->net.report_error)
        {
          char n[NAME_LEN*2+2];

          /* m_qname.str is not always \0 terminated */
          memcpy(n, name.m_qname.str, name.m_qname.length);
          n[name.m_qname.length]= '\0';
          my_error(ER_SP_PROC_TABLE_CORRUPT, MYF(0), n, ret);
        }
NAME_LEN is defined in include/mysql_com.h as
#define NAME_LEN	64		/* Field/table name length */

This is the length in characters, not in bytes. If the db + name of the routine is long enough and are not latin1 -> for example cyrillic. This could lead to possible stack overrun.

How to repeat:
Check the sources.

Suggested fix:
Use n[NAMELEN * 3 * 2 + 2]
Considering that our utf8 is limited to 3 byte sequences.

Approved by e-mail with several comments.

approved by email (after adding a test)

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/12648

ChangeSet@1.2257, 2006-09-27 21:23:17+02:00, andrey@example.com +3 -0
  Fix for bug#21311: Possible stack overrun if SP has non-latin1 name
    
  There was possible stack overrun in an edge case which handles invalid body of
  a SP in mysql.proc . That should be case when mysql.proc has been changed
  manually. Though, due to bug 21513, it can be exploited without having access
  to mysql.proc only being able to create a stored routine.

Fixed in 5.0.27 and 5.1.12

Noted in 5.0.27, 5.1.12 changelogs.

It was possible for a stored routine with a non-latin1 name to cause
a stack overrun.

The 5.0.x fix is in 5.0.30.