Commit f3e431a0 authored by unknown's avatar unknown

Fix for a crashing bug in send_data..


sql/net_pkg.cc:
  Fixing a buffer overflow with huge BLOB's.
  This bug was caused by increasing a storage for lenght of
  data, while memory was not sufficiently allocated for the task.
parent 73058424
...@@ -283,8 +283,13 @@ bool ...@@ -283,8 +283,13 @@ bool
net_store_data(String *packet,const char *from,uint length) net_store_data(String *packet,const char *from,uint length)
{ {
ulong packet_length=packet->length(); ulong packet_length=packet->length();
if (packet_length+5+length > packet->alloced_length() && /*
packet->realloc(packet_length+5+length)) We have added net5store in net_store_length.
Before that largest size was int3store.
Therefore +5 is changed to +9
*/
if (packet_length+9+length > packet->alloced_length() &&
packet->realloc(packet_length+9+length))
return 1; return 1;
char *to=(char*) net_store_length((char*) packet->ptr()+packet_length, char *to=(char*) net_store_length((char*) packet->ptr()+packet_length,
(ulonglong) length); (ulonglong) length);
...@@ -300,8 +305,8 @@ net_store_data(String *packet,const char *from) ...@@ -300,8 +305,8 @@ net_store_data(String *packet,const char *from)
{ {
uint length=(uint) strlen(from); uint length=(uint) strlen(from);
uint packet_length=packet->length(); uint packet_length=packet->length();
if (packet_length+5+length > packet->alloced_length() && if (packet_length+9+length > packet->alloced_length() &&
packet->realloc(packet_length+5+length)) packet->realloc(packet_length+9+length))
return 1; return 1;
char *to=(char*) net_store_length((char*) packet->ptr()+packet_length, char *to=(char*) net_store_length((char*) packet->ptr()+packet_length,
length); length);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment