Fixed bug #16510: Updating field named like '*name' caused server crash.

When setup_fields() function finds field named '*' it expands it to the list
of all table fields. It does so by checking that the first char of
field_name is '*', but it doesn't checks that the '* is the only char.
Due to this, when updating table with a field named like '*name', such field
is wrongly treated as '*' and expanded. This leads to making list of fields
to update being longer than list of the new values. Later, the fill_record() 
function crashes by dereferencing null when there is left fields to update,
but no more values.

Added check in the setup_fields() function which ensures that the field
expanding will be done only when '*' is the only char in the field name.

mysql-test/r/update.result

@@ -216,3 +216,7 @@ select * from t1;
 a	b
 0	2
 drop table t1;
+create table t1(f1 int, `*f2` int);
+insert into t1 values (1,1);
+update t1 set `*f2`=1;
+drop table t1;

mysql-test/t/update.test

@@ -174,3 +174,11 @@ insert into t1 values (0, '1');
 update t1 set b = b + 1 where a = 0;
 select * from t1;
 drop table t1;
+
+#
+# Bug #16510 Updating field named like '*name' caused server crash
+#
+create table t1(f1 int, `*f2` int);
+insert into t1 values (1,1);
+update t1 set `*f2`=1;
+drop table t1;

sql/sql_base.cc

@@ -1983,6 +1983,7 @@ int setup_fields(THD *thd, TABLE_LIST *tables, List<Item> &fields,
     */
     if (item->type() == Item::FIELD_ITEM &&
 	((Item_field*) item)->field_name[0] == '*' &&
+        ((Item_field*) item)->field_name[1] == 0 &&
 	!((Item_field*) item)->field)
     {
       uint elem=fields.elements;