Comment 25 for bug 915814

Master : 5.1.48
Slave : 5.5.18(query cache on)

as http://bugs.mysql.com/bug.php?id=64624 described, I run the slave in valgrind, and got following infomation:

Thread 21:
Conditional jump or move depends on uninitialised value(s)
    at 0x5A6743: Query_cache::send_result_to_client(THD*, char*, unsigned int) (sql_cache.cc:2051)
    by 0x5EDE27: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:5756)
    by 0x800B79: Query_log_event::do_apply_event(Relay_log_info const*, char const*, unsigned int) (log_event.cc:3398)
    by 0x800157: Query_log_event::do_apply_event(Relay_log_info const*) (log_event.cc:3166)
    by 0x572005: Log_event::apply_event(Relay_log_info const*) (log_event.h:1135)
    by 0x56B1A9: apply_event_and_update_pos(Log_event*, THD*, Relay_log_info*) (slave.cc:2351)
    by 0x56B6E9: exec_relay_log_event(THD*, Relay_log_info*) (slave.cc:2511)
    by 0x56D8F6: handle_slave_sql (slave.cc:3329)
    by 0x3A01806D63: start_thread (pthread_create.c:308)

I looked into the souce code, and find that the query buffer allocated in Query_log_event::Query_log_event does not contain the db_len field : sizeof(size_t), but in alloc_query there are statement, length, db_name and flag, therefore result in uninitialized data access in Query_cache::send_result_to_client :

size_t db_len;
    memcpy((char *) &db_len, (sql + query_length + 1), sizeof(size_t));
    if (thd->db_length != db_len)
    {

but I didn't found that this can lead to server crash as the uninitialized data are just junk, but not NULL pointer.

can anyone can tell me why this bug can crash slave?