Description:
This is from innodb_plugin/mtr/mtr0log.c in 5.1:

410	if (UNIV_UNLIKELY(offset >= UNIV_PAGE_SIZE)
411			|| UNIV_UNLIKELY(len + offset) > UNIV_PAGE_SIZE) {
412		recv_sys->found_corrupt_log = TRUE;
413
414		return(NULL);
415	}

When building with gcc, the second condition in if() is expanded into "__builtin_expect(len + offset, FALSE) > UNIV_PAGE_SIZE" which is likely not what it was supposed to be.

The same code is in 5.5.

How to repeat:
Examine the source.

Verified by code review in current mysql-5.1 and mysql-5.5 trees.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129527

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129528

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129531

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/129532

Pushed into mysql-5.1 5.1.56 (revid:vasil.dimov@oracle.com-20110130164158-1q99a41kb2wvkw3a) (version source revid:vasil.dimov@oracle.com-20110130164158-1q99a41kb2wvkw3a) (merge vers: 5.1.56) (pib:24)

Pushed into mysql-trunk 5.6.2 (revid:vasil.dimov@oracle.com-20110130165639-1pr3opz839b98q5j) (version source revid:vasil.dimov@oracle.com-20110130165522-m0o6al0pn5ig9kv3) (merge vers: 5.6.2) (pib:24)

Pushed into mysql-5.5 5.5.10 (revid:vasil.dimov@oracle.com-20110130165343-he9art47agq1a3gr) (version source revid:vasil.dimov@oracle.com-20110130165137-5lvzsq9j29j0hp1s) (merge vers: 5.5.10) (pib:24)