Bug#27799513: POTENTIAL DOUBLE FREE OR CORRUPTION OF HEAP

INFO (HP_INFO)

Description:- Server crashes due to memory overflow.

Analysis:- Bytes for storing key length is wrongly set
for HEAP tables.

Fix:- Bytes used to store the key length is properly set
inside "heap_create()".

storage/heap/hp_create.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -92,7 +92,14 @@ int heap_create(const char *name, HP_CREATE_INFO *create_info,
           /* fall_through */
         case HA_KEYTYPE_VARTEXT1:
           keyinfo->flag|= HA_VAR_LENGTH_KEY;
-          length+= 2;
+          /*
+            For BTREE algorithm, key length, greater than or equal
+            to 255, is packed on 3 bytes.
+          */
+          if (keyinfo->algorithm == HA_KEY_ALG_BTREE)
+            length+= size_to_store_key_length(keyinfo->seg[j].length);
+          else
+            length+= 2;
           /* Save number of bytes used to store length */
           keyinfo->seg[j].bit_start= 1;
           break;
@@ -101,7 +108,14 @@ int heap_create(const char *name, HP_CREATE_INFO *create_info,
           /* fall_through */
         case HA_KEYTYPE_VARTEXT2:
           keyinfo->flag|= HA_VAR_LENGTH_KEY;
-          length+= 2;
+          /*
+            For BTREE algorithm, key length, greater than or equal
+            to 255, is packed on 3 bytes.
+          */
+          if (keyinfo->algorithm == HA_KEY_ALG_BTREE)
+            length+= size_to_store_key_length(keyinfo->seg[j].length);
+          else
+            length+= 2;
           /* Save number of bytes used to store length */
           keyinfo->seg[j].bit_start= 2;
           /*