Description:
if the global `char pidfile_name[FN_REFLEN]' value occupies
more than FN_REFLEN - strlen("relay-bin") - 1 == FN_REFLEN - 10
then in generating of the relay log file name in
init_relay_log_info() -> MYSQL_LOG::generate_name()
the buffer relay_log_info:char buf[FN_REFLEN] overruns.

Look at the calling line
  rli->relay_log.generate_name(opt_relay_logname, "-relay-bin", 1, buf)

if opt_relay_logname is NULL, the two lines of MYSQL_LOG::generate_name()

  strmake(buff, pidfile_name, FN_REFLEN - 5); // buff is buf of caller
  strmov(fn_ext(buff), suffix);

will store in buf[FN_REFLEN] FN_REFLEN + 10 - 5 i.e 5 bytes over the size.

How to repeat:
Look at the code, or create a setup where pidfile_name is more than 512 - 10 == 502 bytes.
Start mysqld without --relay-log. Overrun can be noticed by different means incl a  crash.

Practically i did:
1. set pidfile_name to a string with strlen 502 i.e to occupie 503.
2. checked at return from MYSQL_LOG::generate_name() the length of the string
 (gdb) p strlen(buff)
 $9 = 512

however, sizeof(init_relay_log_info:buf) == 512

which means 1 byte overrun in buf.

Suggested fix:
fixing along bug#28597 with reserving the max bytes among all possible suffixes
appendable to the `pidfile_name' root.

Pushed into 5.0.54

Pushed into 5.1.23-rc

Pushed into 6.0.4-alpha

Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented in 5.0.54, 5.1.23, and 6.0.4 changelogs as:

        It was possible for the name of the relay log file to exceeed
        the amount of memory reserved for it, possibly leading to a
        crash of the server.