Description:
If the desired character is not found in the string, the final *wstr++ will move the wstr pointer behind the terminating zero so incorrect and possibly unallocated memory will be accessed by the following 'if' statement. 

How to repeat:
See description.

Jiri,

Probably you forgot to copy/paste the code fragment into your problem description because I do not see the if() statement you are talking about.

Sorry. My knowledge of the english language is limited. I was talking about 'if' statement "following in the function source code" and not "following in my description".

The code I am talking about is present in the mysql-connector-odbc-5.1.8 source code in the util/stringutil.c in function sqlwcharchr. That function (pasted bellow) contains only one if.

const SQLWCHAR *sqlwcharchr(const SQLWCHAR *wstr, SQLWCHAR wchr)
{
  while (*wstr != wchr && *wstr++);
  if (*wstr == wchr)
    return wstr;
  else
    return NULL;
}

Verified, the problem exists.

=== modified file 'util/stringutil.c'
--- util/stringutil.c	2010-08-19 15:37:55 +0000
+++ util/stringutil.c	2011-08-03 12:53:02 +0000
@@ -526,11 +526,15 @@
  */
 const SQLWCHAR *sqlwcharchr(const SQLWCHAR *wstr, SQLWCHAR wchr)
 {
-  while (*wstr != wchr && *wstr++);
-  if (*wstr == wchr)
-    return wstr;
-  else
-    return NULL;
+  while (*wstr)
+  {
+    if (*wstr == wchr)
+    {
+      return wstr;
+    }
+    ++wstr;
+  }
+  return NULL;
 }

An the entry for CHANGELOG:

=== modified file 'ChangeLog'
--- ChangeLog	2011-02-04 20:03:09 +0000
+++ ChangeLog	2011-08-03 12:56:44 +0000
@@ -3,7 +3,7 @@
   Bugs fixed:
   * SQLFetch() did not return SQL_ERROR if connection was dropped due to a
     timeout. (Bug #39878)
-
+  * sqlwcharchr might read one SQLWCHAR after end of string. (Bug #61586)
 ----
 
 5.1.8 (08-Nov-2010)

pushed to the trunk as rev#979

This was already documented, as:

An off-by-one error, where <literal>sqlwcharchr</literal> might
read one <literal>SQLWCHAR</literal> after the end of a string.

So, closing.