diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-12 20:25:08 -0700 |
---|---|---|
committer | Ferenc Kovacs <tyra3l@gmail.com> | 2016-09-15 10:04:51 +0200 |
commit | b4edc331997b2dbc6bf5da9af4aeffd78306ffb9 (patch) | |
tree | c84c58f5f6e22d3ea217949fc4eb711b61a3fe1f | |
parent | 812f9c8a632f74d475cbc5b82e09190c8d47f740 (diff) | |
download | php-git-b4edc331997b2dbc6bf5da9af4aeffd78306ffb9.tar.gz |
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
-rw-r--r-- | ext/mysqlnd/mysqlnd_wireprotocol.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c index 74c9724991..855a25cea1 100644 --- a/ext/mysqlnd/mysqlnd_wireprotocol.c +++ b/ext/mysqlnd/mysqlnd_wireprotocol.c @@ -1585,6 +1585,7 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zend_uchar * p = row_buffer->ptr; size_t data_size = row_buffer->app; zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */ + const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size; DBG_ENTER("php_mysqlnd_rowp_read_text_protocol_aux"); @@ -1606,8 +1607,13 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, /* Don't reverse the order. It is significant!*/ zend_uchar *this_field_len_pos = p; /* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */ - unsigned long len = php_mysqlnd_net_field_length(&p); + const unsigned long len = php_mysqlnd_net_field_length(&p); + if (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) { + php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC + " bytes after end of packet", (p + len) - packet_end - 1); + DBG_RETURN(FAIL); + } if (copy_data == FALSE && current_field > start_field && last_field_was_string) { /* Normal queries: |