Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARY

(cherry picked from commit b5b986b2cbd9a7848dc3f48e5c42b6d4e1e5fb22)

Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARY
(cherry picked from commit b5b986b2cbd9a7848dc3f48e5c42b6d4e1e5fb22)
e48d775c · Ivo Roylev · Hery Ramilison · bd5ca6ac · e48d775c
Commit e48d775c authored Jun 14, 2018 by Ivo Roylev Committed by Hery Ramilison Jun 15, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

sql-common/client.c sql-common/client.c +3 -1

No files found.
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1505,7 +1505,8 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields,
    {
      uchar *pos;
      /* fields count may be wrong */
-      DBUG_ASSERT((uint) (field - result) < fields);
+      if (field < result || (uint) (field - result) >= fields)
+        DBUG_RETURN(NULL);
      cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7);
      field->catalog=   strmake_root(alloc,(char*) row->data[0], lengths[0]);
      field->db=        strmake_root(alloc,(char*) row->data[1], lengths[1]);
@@ -1612,6 +1613,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,

  if ((pkt_len= cli_safe_read(mysql)) == packet_error)
    DBUG_RETURN(0);
+  if (pkt_len == 0) DBUG_RETURN(0);
  if (!(result=(MYSQL_DATA*) my_malloc(sizeof(MYSQL_DATA),
 				       MYF(MY_WME | MY_ZEROFILL))))
  {