Commit 615c9465 authored by serg@serg.mysql.com's avatar serg@serg.mysql.com

protect from [heap] buffer overrrun by malicious server

parent 33de7e55
...@@ -891,7 +891,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, ...@@ -891,7 +891,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
uint field,pkt_len; uint field,pkt_len;
ulong len; ulong len;
uchar *cp; uchar *cp;
char *to; char *to, *end_to;
MYSQL_DATA *result; MYSQL_DATA *result;
MYSQL_ROWS **prev_ptr,*cur; MYSQL_ROWS **prev_ptr,*cur;
NET *net = &mysql->net; NET *net = &mysql->net;
...@@ -929,6 +929,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, ...@@ -929,6 +929,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
*prev_ptr=cur; *prev_ptr=cur;
prev_ptr= &cur->next; prev_ptr= &cur->next;
to= (char*) (cur->data+fields+1); to= (char*) (cur->data+fields+1);
end_to=to+pkt_len-1;
for (field=0 ; field < fields ; field++) for (field=0 ; field < fields ; field++)
{ {
if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
...@@ -938,6 +939,13 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, ...@@ -938,6 +939,13 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
else else
{ {
cur->data[field] = to; cur->data[field] = to;
if (to+len > end_to)
{
free_rows(result);
net->last_errno=CR_UNKNOWN_ERROR;
strmov(net->last_error,ER(net->last_errno));
DBUG_RETURN(0);
}
memcpy(to,(char*) cp,len); to[len]=0; memcpy(to,(char*) cp,len); to[len]=0;
to+=len+1; to+=len+1;
cp+=len; cp+=len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment