On behalf of Kristofer :

Bug#53417 my_getwd() makes assumptions on the buffer sizes which not always hold true
      
The mysys library contains many functions for rewriting file paths. Most of these
functions makes implicit assumptions on the buffer sizes they write to. If a path is put
in my_realpath() it will propagate to my_getwd() which assumes that the buffer holding
the path name is greater than 2. This is not true in cases.
      
In the special case where a VARBIN_ITEM is passed as argument to the LOAD_FILE function
this can lead to a crash.
      
This patch fixes the issue by introduce more safe guards agaist buffer overruns.

mysys/mf_loadpath.c

@@ -34,7 +34,7 @@ char * my_load_path(char * to, const char *path,
 
   if ((path[0] == FN_HOMELIB && path[1] == FN_LIBCHAR) ||
       test_if_hard_path(path))
-    VOID(strmov(buff,path));
+    VOID(strnmov(buff, path, FN_REFLEN));
   else if ((is_cur=(path[0] == FN_CURLIB && path[1] == FN_LIBCHAR)) ||
 	   (is_prefix(path,FN_PARENTDIR)) ||
 	   ! own_path_prefix)
@@ -42,13 +42,14 @@ char * my_load_path(char * to, const char *path,
     if (is_cur)
       is_cur=2;					/* Remove current dir */
     if (! my_getwd(buff,(uint) (FN_REFLEN-strlen(path)+is_cur),MYF(0)))
-      VOID(strcat(buff,path+is_cur));
+      VOID(strncat(buff, path+is_cur, FN_REFLEN));
     else
-      VOID(strmov(buff,path));			/* Return org file name */
+      VOID(strnmov(buff, path, FN_REFLEN));     /* Return org file name */
   }
   else
-    VOID(strxmov(buff,own_path_prefix,path,NullS));
-  strmov(to,buff);
+    VOID(strxnmov(buff, FN_REFLEN, own_path_prefix,path, NullS));
+  strnmov(to, buff, FN_REFLEN);
+  to[FN_REFLEN-1]= '\0';
   DBUG_PRINT("exit",("to: %s",to));
   DBUG_RETURN(to);
 } /* my_load_path */