Bug#25471090: MYSQL USE AFTER FREE

in a specially crafted invalid packet, one can get end_pos < pos here
author: Sergei Golubchik <serg@mariadb.org> 2018-04-19 22:39:24 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2018-04-19 22:49:19 +0200
commit: 7828ba0df488de8c793e41e4bd3de79e06c2537f (patch)
tree: d8c6ab2f605e6b75de278e5813d72b0648372514
parent: 149c993b2cdf4b6ccdce6f8bbbd28a38fc7404ee (diff)
download: mariadb-git-7828ba0df488de8c793e41e4bd3de79e06c2537f.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sql-common/client.c b/sql-common/client.c
index fc591e21616..bb7bdb1ff7d 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1708,7 +1708,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     }
     else
     {
-      if (len > (ulong) (end_pos - pos))
+      if (pos + len > end_pos)
       {
         set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
         return -1;
author	Sergei Golubchik <serg@mariadb.org>	2018-04-19 22:39:24 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2018-04-19 22:49:19 +0200
commit	7828ba0df488de8c793e41e4bd3de79e06c2537f (patch)
tree	d8c6ab2f605e6b75de278e5813d72b0648372514
parent	149c993b2cdf4b6ccdce6f8bbbd28a38fc7404ee (diff)
download	mariadb-git-7828ba0df488de8c793e41e4bd3de79e06c2537f.tar.gz