BUG#22053 - REPAIR table can crash server for some

            really damaged MyISAM tables

When unpacking a blob column from broken row server crash
could happen. This could rather happen when trying to repair
a table using either REPAIR TABLE or myisamchk, though it
also could happend when trying to access broken row using
other SQL statements like SELECT if table is not marked as
crashed.

Fixed ulong overflow when trying to extract blob from
broken row.

Affects MyISAM only.


myisam/mi_dynrec.c:
  Fixed ulong overflow when trying to extract blob from
  broken row. It happens when there are not enough bytes
  to store blob length in `from' buffer. In this case
  (ulong) (from_end - from) - size_length value is huge,
  close to ULONG_MAX.

myisam/mi_dynrec.c

@@ -992,9 +992,11 @@ ulong _mi_rec_unpack(register MI_INFO *info, register byte *to, byte *from,
       {
 	uint size_length=rec_length- mi_portable_sizeof_char_ptr;
 	ulong blob_length=_mi_calc_blob_length(size_length,from);
-	if ((ulong) (from_end-from) - size_length < blob_length ||
-	    min_pack_length > (uint) (from_end -(from+size_length+blob_length)))
-	  goto err;
+        ulong from_left= (ulong) (from_end - from);
+        if (from_left < size_length ||
+            from_left - size_length < blob_length ||
+            from_left - size_length - blob_length < min_pack_length)
+          goto err;
 	memcpy((byte*) to,(byte*) from,(size_t) size_length);
 	from+=size_length;
 	memcpy_fixed((byte*) to+size_length,(byte*) &from,sizeof(char*));