protect from [heap] buffer overrrun by malicious server

a31d258b · unknown · e753fa4d · a31d258b
Commit a31d258b authored Dec 04, 2002 by unknown
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

libmysql/libmysql.c libmysql/libmysql.c +10 -2

No files found.
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -891,7 +891,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
  uint	field,pkt_len;
  ulong len;
  uchar *cp;
-  char	*to;
+  char	*to, *end_to;
  MYSQL_DATA *result;
  MYSQL_ROWS **prev_ptr,*cur;
  NET *net = &mysql->net;
@@ -929,6 +929,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
    *prev_ptr=cur;
    prev_ptr= &cur->next;
    to= (char*) (cur->data+fields+1);
+    end_to=to+pkt_len-1;
    for (field=0 ; field < fields ; field++)
    {
      if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
@@ -938,6 +939,13 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
      else
      {
 	cur->data[field] = to;
+        if (to+len > end_to)
+        {
+          free_rows(result);
+          net->last_errno=CR_UNKNOWN_ERROR;
+          strmov(net->last_error,ER(net->last_errno));
+          DBUG_RETURN(0);
+        }
 	memcpy(to,(char*) cp,len); to[len]=0;
 	to+=len+1;
 	cp+=len;