diff options
author | Arun Kuruvila <arun.kuruvila@oracle.com> | 2018-02-12 15:19:43 +0530 |
---|---|---|
committer | Arun Kuruvila <arun.kuruvila@oracle.com> | 2018-02-12 15:19:43 +0530 |
commit | e4784703ee44d0a0a497a1a411dea20987d501ad (patch) | |
tree | 1f28ecfa226f27d3f65abd9e9c210504d3edcba1 /sql-common/client.c | |
parent | e585decb459740ec53b1ac1b85f332f7bd3c8ccf (diff) | |
download | mariadb-git-e4784703ee44d0a0a497a1a411dea20987d501ad.tar.gz |
Bug#25471090: MYSQL USE AFTER FREE
Description:- Mysql client crashes when trying to connect
to a fake server which is sending incorrect packets.
Analysis:- Mysql client crashes when it tries to read
server version details.
Fix:- A check is added in "red_one_row()".
Diffstat (limited to 'sql-common/client.c')
-rw-r--r-- | sql-common/client.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index 759d95117cb..9972ca741f2 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1723,18 +1723,20 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths) end_pos=pos+pkt_len; for (field=0 ; field < fields ; field++) { - if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) + len=(ulong) net_field_length_checked(&pos, (ulong)(end_pos - pos)); + if (pos > end_pos) + { + set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate); + return -1; + } + + if (len == NULL_LENGTH) { /* null field */ row[field] = 0; *lengths++=0; } else { - if (len > (ulong) (end_pos - pos)) - { - set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate); - return -1; - } row[field] = (char*) pos; pos+=len; *lengths++=len; |