Commit cad692f9 authored by Ivo Roylev's avatar Ivo Roylev

Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARY

parent 7b2f4b82
...@@ -1505,7 +1505,8 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields, ...@@ -1505,7 +1505,8 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
{ {
uchar *pos; uchar *pos;
/* fields count may be wrong */ /* fields count may be wrong */
DBUG_ASSERT((uint) (field - result) < fields); if (field < result || (uint) (field - result) >= fields)
DBUG_RETURN(NULL);
cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7); cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7);
field->catalog= strmake_root(alloc,(char*) row->data[0], lengths[0]); field->catalog= strmake_root(alloc,(char*) row->data[0], lengths[0]);
field->db= strmake_root(alloc,(char*) row->data[1], lengths[1]); field->db= strmake_root(alloc,(char*) row->data[1], lengths[1]);
...@@ -1612,6 +1613,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, ...@@ -1612,6 +1613,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
if ((pkt_len= cli_safe_read(mysql)) == packet_error) if ((pkt_len= cli_safe_read(mysql)) == packet_error)
DBUG_RETURN(0); DBUG_RETURN(0);
if (pkt_len == 0) DBUG_RETURN(0);
if (!(result=(MYSQL_DATA*) my_malloc(sizeof(MYSQL_DATA), if (!(result=(MYSQL_DATA*) my_malloc(sizeof(MYSQL_DATA),
MYF(MY_WME | MY_ZEROFILL)))) MYF(MY_WME | MY_ZEROFILL))))
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment